Keith Alexander, the NSA, and the cyber-industrial complex

James Bamford has an detailed article titled The Secret War that look at General Keith Alexander, the head of the NSA, and what he has been secretly constructing. As the subheading says, “INFILTRATION. SABOTAGE. MAYHEM. FOR YEARS, FOUR-STAR GENERAL KEITH ALEXANDER HAS BEEN BUILDING A SECRET ARMY CAPABLE OF LAUNCHING DEVASTATING CYBERATTACKS. NOW IT’S READY TO UNLEASH HELL”

Alexander has been pretty much in the shadows but his steady accumulation of power, first under George W. Bush and now under Barack Obama has been extraordinary. If one follows the principle that the flow of money is a good indicator of government priorities and power, then it becomes clear from Bamford’s article that the NSA is where the action now is.

Alexander’s agency has recruited thousands of computer experts, hackers, and engineering PhDs to expand US offensive capabilities in the digital realm. The Pentagon has requested $4.7 billion for “cyberspace operations,” even as the budget of the CIA and other intelligence agencies could fall by $4.4 billion. It is pouring millions into cyberdefense contractors. And more attacks may be planned.

In May, work began on a $3.2 billion facility housed at Fort Meade in Maryland. Known as Site M, the 227-acre complex includes its own 150-megawatt power substation, 14 administrative buildings, 10 parking garages, and chiller and boiler plants. The server building will have 90,000 square feet of raised floor—handy for supercomputers—yet hold only 50 people. Meanwhile, the 531,000-square-foot operations center will house more than 1,300 people. In all, the buildings will have a footprint of 1.8 million square feet. Even more ambitious plans, known as Phase II and III, are on the drawing board. Stretching over the next 16 years, they would quadruple the footprint to 5.8 million square feet, enough for nearly 60 buildings and 40 parking garages, costing $5.2 billion and accommodating 11,000 more cyberwarriors.

What does the government seek to get for all this money and personnel? Pretty much the ability to control the entire internet.

Alexander runs the nation’s cyberwar efforts, an empire he has built over the past eight years by insisting that the US’s inherent vulnerability to digital attacks requires him to amass more and more authority over the data zipping around the globe. In his telling, the threat is so mind-bogglingly huge that the nation has little option but to eventually put the entire civilian Internet under his protection, requiring tweets and emails to pass through his filters, and putting the kill switch under the government’s forefinger.

The Stuxnet attack on Iran, done in collaboration with Israel, was just one of its operations.

The NSA works closely with a mushrooming private cyber sector like Booz Allen Hamilton, though many work in the shadows outside the public’s gaze. These private contractors make a lot of money by selling subscriptions to their services, which involve telling their clients about vulnerabilities in systems. One such company is called Endgame.

According to news reports, Endgame is developing ways to break into Internet-connected devices through chinks in their antivirus armor. Like safecrackers listening to the click of tumblers through a stethoscope, the “vulnerability researchers” use an extensive array of digital tools to search for hidden weaknesses in commonly used programs and systems, such as Windows and Internet Explorer. And since no one else has ever discovered these unseen cracks, the manufacturers have never developed patches for them.

Thus, in the parlance of the trade, these vulnerabilities are known as “zero-day exploits,” because it has been zero days since they have been uncovered and fixed. They are the Achilles’ heel of the security business, says a former senior intelligence official involved with cyberwarfare. Those seeking to break into networks and computers are willing to pay millions of dollars to obtain them.

It will allow Endgame’s clients to observe in real time as hardware and software connected to the Internet around the world is added, removed, or changed. But such access doesn’t come cheap. One leaked report indicated that annual subscriptions could run as high as $2.5 million for 25 zero-day exploits.

Because there is no oversight of these activities, companies are free to sell their information to whomever they wish. Bamford says that there is now a black market for this kind of information and there are fears that it could fall into the ‘wrong’ (i.e., non-US) hands.


  1. says

    Pretty much the ability to control the entire internet.

    As I’ve pointed out elsewhere – the US is treating the internet as if it was a colonial power. “It’s ours – we built it!” pretty much says it all.

    Look at what’s owned by the US:
    – the crypto infrastructure used in SSL (Verisign, coincidentally, being right next door to the CIA…)
    – google
    – hotmail
    – microsoft
    – oracle
    – amazon/aws
    – youtube
    – skype
    – intel/mcafee/symantec
    …and the list goes on and on. Anyone with a vague idea of not submitting to the US’ internet rules is going to need a completely independent “stack” for those applications. And you can be sure that by the time it was built, it would be backdoored to a fare-thee-well by the US and everyone else.

  2. says

    BTW – the government’s doing business with the hackers and backdoor experts is going to blow up in their faces. They’re dealing with sociopaths who specialize in writing computer penetration tools, and they are taking software implementations from them. Lie down with dogs, you’re gonna get fleas.

  3. alanuk says

    All very interesting no doubt but the real problem is people. A contractor walks out with a memory stick and the first thing anyone knows is that he is half a world away. An autistic man looking for UFO’s walks all round supposedly secret military computer systems and he was not even trying to be malicious. Fort Meade sounds like something out of a Bond film. Very impressive but the real problem is with shoddy software produced by household names. Stuxnet was a great intellectual achievement but it did depend on just such software. The same software is running on millions of computers in the US and elsewhere.

  4. says

    A contractor walks out with a memory stick and the first thing anyone knows is that he is half a world away

    What’s so fascinating to me – as an information security practitoner – is what these leaks tell me about the intelligence community’s internal security. We saw the same thing with Manning: a low-level analyst apparently had access to the whole schlamozzle; that’s a terrible system design. Worse, it appears that they didn’t maintain very good internal logs – they weren’t able to tell exactly what Manning took, as when. Same with Snowden – he’s dumping materials of very wide range – why would a single analyst (let alone a contractor!) have access to the G20 data as well as the prism program, etc, etc. Did they just give yet another low-level analyst access to the whole thing?

    There is apparently serious incompetence at NSA, and all over the intelligence community.

  5. Jerry A. says

    The first thing I thought of when reading about Endgame’s business is “I hope they have all of the bugs they find patched on their systems, or a bad guy looking to take down computer systems will just hack them.” I could visualize the ads for Americans with no criminal background from the Russian mob, or threats from China to Chinese-Americans with family still in China, to get jobs with Endgame as industrial spies. Then I got to the part about annual subscriptions for zero-day exploits, and I realized that destroying huge swaths of networks is not a bug to Endgame, it’s a feature (and their profit center). Endgame is well-named; unless their client list is incredibly limited (which cuts down on potential profits), then they’re sociopaths for hire. [Microsoft and anti-virus companies and the NSA all do it, but they don’t just sell the hole without the repair.]

Leave a Reply

Your email address will not be published. Required fields are marked *