BOOZ ALLEN ETC and the Washington Post

BOOZ ALLEN ETC and the Washington Post

 

The Washington Post has extensively covered Edward Snowden, the 29-year-old hacker hired by prime contractor Booz Allen Hamilton to work for the National Security Agency, who was given global access to online information that he then leaked. One question still unanswered, however, is how much material if any Snowden gave to the Post itself. Follow-up: what if anything does the Post have from Snowden, or from the NSA?

 

Future plans

According to the Guardian interview with Snowden, in the extensive June 9 article revealing Snowden’s identity, he had “copied the last set of documents he intended to disclose” three weeks earlier. Snowden then packed and boarded a plane for Hong Kong.

Questions for the press: Where are those documents? What is in them?

Snowden, as quoted in the Guardian interview, distinguishes himself from Daniel Ellsworth and Bradley Manning thus:

“”I carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest,” he said. “There are all sorts of documents that would have made a big impact that I didn’t turn over, because harming people isn’t my goal. Transparency is.””

The quoted statement comes in a long article written mostly in third-person paraphrase. Along with the previous question–what is on the documents Snowden turned over to the press?–it raises another. What is on the documents he has not disclosed?

 

Former Booz Allen executive and now DNI, testifying

Among the items of information paraphrased third person:

  • Snowden broke both his legs training in the U.S. Army Special Forces, at some time between 2003 and 2007
  • he then got his first NSA job, as a security guard in a covert NSA facility at the University of Maryland
  • “From there, he went to the CIA, where he worked on IT security.”
  • he rose quickly in the CIA because of his computer skills, without a high school diploma
  • “By 2007,” the CIA stationed him in Geneva, “with diplomatic cover”
  • in 2009 he went to work for a private contractor for NSA, on a military base in Japan

Edifice wrecks

It would be good to know the exact date on which Snowden began working for Booz Allen Hamilton. The company’s publicly released statement and news reports put it at about three months before Snowden leaked the NSA material–the company says “less than three months.” That would be early March, 2013. The Guardian’s first exclusive, based on contacts with Snowden, appeared June 5. In an online chat, Snowden subsequently said he had taken the Booz Allen job for the purpose of collecting proof of NSA surveillance activities.

“”My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked,” he told the [South China] Post on June 12. “That is why I accepted that position about three months ago.”

The surveillance license was approved on April 25. In other reports, The Guardian’s Glenn Greenwald and documentary film maker Laura Poitras began working with Snowden back in February 2013.

 

Poitras

Questions about the documents and other NSA material are by no means the only questions. They are just the biggest, the weirdest, and the most immediate elephant-in-the-room. What if anything is the Post sitting on? As a Washington Post subscriber and faithful reader, I would like to be alerted beforehand, if my paper plans to run a series based on primary sources from inside the NSA. I would think Post reporters not in the loop would be curious themselves. Where if anywhere is the Post housing these materials, if any? Who is responsible for them, if anyone? Are there backup copies, and if so, where? According to The Hindu, Snowden left carrying “four laptop computers.”

 

Further questions, as mentioned, are not as big–less global–but still intriguing. Here are a few, categorized for convenience into first, the question of particular fact, and second, the broader questions stemming from the fact.

Fact question one:

As we know, Reuters reported days ago that Booz Allen hired Snowden despite “discrepancies” on his resume. What were the discrepancies?

Broader question/s one:

Why is it not policy to deny a security clearance to any job applicant, anyone without exception, whose resume or job application contains “discrepancies”?  Has acceptance of middle-class, white-collar lying on the job gotten so broad that anything goes, even in high-level clearance work? Have four-plus years of relentless press trashing the national economy taken such a toll that no (white-collar) job can be denied or removed, even justifiably?

 

Fact question two:

Aside from the Booz Allen job, how long, exactly, had Snowden been working for or on NSA facilities? Snowden told the Guardian four years; NSA Director Keith Alexander testified to Congress that Snowden had held a position at the NSA for twelve months.

Broader question/s two:

Are there any safeguards in place [YES, FUNNY WAY TO START A QUESTION], so that red flags go up when a subcontractor jumps from job to job, especially in high-level clearance positions? Have the broader attacks on 1) company pensions and 2) “government jobs” taken such a toll nationally that job-jumping is now assumed to be a resume brightener, even in high-level clearance positions?

 

Fact question three:

How, exactly, did Snowden get his series of NSA jobs? Did he apply through regular channels? Was it through someone he knew? We already know that he was ‘vetted’ for Booz Allen by USIS. Who recommended him? Who if anyone were his references, for a string of six-figure high-level security jobs?

Broader question/s three:

Is there such a thing as ‘regular channels’ when you apply for a job as a security contractor for the NSA? Are there any protocols in place [YES, YES, I KNOW; FUNNY WAY TO BEGIN A QUESTION] applied uniformly to every applicant? Or are the hoops just something to be sidestepped, rather than jumped through, for someone who knows someone?

 

As both a U.S. citizen and a journalist, I am eager not to jump to conclusions. We have an ethical obligation to use our judgment to the best of our ability. I cannot see Snowden as either a ‘hero’ or a ‘traitor.’ I have no desire to see him hounded into prison or chased around the globe, let alone worse. There is far too much passive complicity at multiple levels in the quasi-private, excessively outsourced, limply ‘privatized’ intelligence-security realm that hired Snowden and basically bred him, to make him a person of interest in isolation.

Both as a person and a journalist, however, I cannot help being curious. As indicated in the previous posts, I continue to be curious about the multi-billion layers of private contracting–an ironic term, at this point–as well as about government surveillance. So questions will continue to arise.

Back to that press coverage. The Guardian, unlike the Washington Post, has published aptly on Booz Allen. See here and here and here, for example.

To be continued

 

BOOZ ALLEN ETC and subcontractors

BOOZ ALLEN ETC and subcontractors

 

Part of the fallout from the spectacular security breach at Booz Allen Hamilton itself–when its contractor Edward Snowden, hired at age 29 to monitor global classified security from inside a National Security Agency station in Hawaii, revealed the capabilities–is that the subcontractor who vetted Snowden for Booz Allen is being investigated.

Quis custodiet ipsos custodes?

Snowden

The subcontractor is northern-Virginia based US Investigations Services (USIS). The company is not connected to the federal United States Information Service. The USIS web site bills it as “the leader in federal background investigations.” From a recent media release comes this announcement that USIS has won a contract from the Department of Homeland Security:

“FALLS CHURCH, Va., – US Investigations Services Professional Services Division, Inc. (USIS PSD), a subsidiary of US Investigations Services, LLC (USIS), the largest commercial provider of background investigations to the federal government, has been awarded a prime contract by the Department of Homeland Security, U.S. Citizenship and Immigration Services (USCIS), to provide biometric capture services in support of applications for a variety of immigration benefits and U.S. citizenship. The indefinite-delivery/indefinite-quantity contract is for one base year with four one-year options and has a potential value of $889 million over a five-year period.”

More good news for immigrants. Further information on USIS, from the company:

“USIS provides services under more than 100 contracts. It is the largest commercial provider of background investigations to the federal government. It has more than 6,000 employees providing services in all 50 states and U.S. territories and overseas. USIS offers a variety of adjudication support, including background checks, litigation support, records support, investigative analytics and biometric services, as well as customized solutions that help government clients manage records, information and documents. Learn more at www.USIS.com.”

Also provided is the company’s statement on the June 20 Senate Homeland Security Subcommittee hearing–Yes, we are being investigated–but it was not about Snowden, at least not last year–Nobody knew about Snowden then, including us:

FALLS CHURCH, VA, June 20, 2013 — At a Senate hearing today, questions were raised as to whether USIS is under “criminal investigation.” USIS has never been informed that it is under criminal investigation. In January 2012, USIS received a subpoena for records from the U.S. Office of Personnel Management’s (OPM) Office of Inspector General (OIG). USIS complied with that subpoena and has cooperated fully with the government’s civil investigative efforts.

In the same Senate hearing, questions were raised as to whether USIS had conducted the initial background investigation, or a periodic reinvestigation, for the security clearance of Edward Snowden. USIS conducts thousands of background investigations annually for OPM and other government agencies. These investigations are confidential and USIS does not comment on them.”

The federal investigation into USIS itself was first reported by the Wall Street Journal:

“USIS, a Falls Church, Va., company owned by private-equity firm Providence Equity Partners LLC, has more than 7,000 employees and conducts 45% of OPM investigations done by contractors, officials said. Last year, USIS received $200 million for its work, Ms. McCaskill said.”

The Washington Business Journal faults lack of competition in contracting for problems:

“So what is this type of work worth? In 2011, USIS was awarded a multiyear contract by OPM to conduct background investigative fieldwork for government agencies. The estimated total value of the contract was about $2.45 billion over five years. And USIS held the same contract before that award.”

Bloomberg News blames the outsourcing on Al Gore:

“The revelation that Snowden disclosed two classified U.S. surveillance programs after being vetted by USIS may have damaged the company’s reputation and prompted questions about the wisdom of outsourcing security reviews.”

Olbermann on Countdown

Bloomberg has a point. I, for one, also blame Al Gore for firing Keith Olbermann from CurrentTV.

But I digress.

 

Tom Lehrer, mathematician, humorist and song writer

Moving away from humor, Sourcewatch, among other sites, noted much earlier that the company was involved in the 2004 assault on Fallujah, in Iraq, and in an investigation on the assault connected to the death of Col. Ted Westhusing in 2005.

The company that owns USIS, Providence Equity Partners LLC, focuses according to its web site and company filings on investing in “media, communications, education and information.” More information:

“Established in 1989, the firm pioneered a sector-based approach to private equity, convinced that a dedicated team of industry experts could build companies of enduring value in the dynamic communications industry. Guided by this commitment, we have led some of the most exciting and successful companies in our sectors, generating superior investment returns across economic cycles. Today, having invested in more than 130 companies over our 23-year history, Providence is one of the world’s premiere private equity firms and a dominant global franchise in the media, communications, education and information industries. . . .

Our team actively seeks investment opportunities on a global basis from offices in Providence, New York, London, Hong Kong, Beijing and New Delhi. We partner with companies across different stages in their development, from growth capital and complex recapitalizations of family-owned businesses to large buyouts and take-privates. We can employ a variety of financing structures and target equity investments of $150 million to $800 million. We prefer to lead our investments, serve on company boards, and work collaboratively with company management. From broadband to broadcast, music to film, wireline to wireless, publishing to Internet, we bring unparalleled industry, financial and operational expertise to each of our portfolio companies.”

Sounds secure, doesn’t it? Who would imagine that a global company, its offices around the world connected by thousands of electronic messages and transactions weekly, could have any problems–even indirect–with security breaches on its watch?

When again did satire die, exactly?

Among those companies is Altegrity, the parent company of USIS. Altegrity is among other things the holding company for Kroll Ontrack Inc. and London-based Kroll Advisory Solutions, spin-offs from the former Kroll Inc, which provided security services in Iraq. Kroll, like Booz Allen Hamilton with which it had significant interchange, was up to its eyeballs in boosting war with Iraq, a war for which it also helped prepare and from which it received substantial government contracting business. Kroll was previously owned by Marsh & McLennan, also involved both in boosting the invasion of Iraq and in Iraq war business once the war was underway. So once again–not to hammer a point that should be sufficiently obvious by now–we have security and investigation companies participating in monitoring, oversight, or investigation of what amounts to their own previous work. The companies, furthermore, having won government contracts for their previous work, are now winning government contracts to retrace the steps–so to speak–on a global scale.

 

Another company held by Altegrity, by the way, is HireRight, “the commercial employment screening business of Altegrity that serves more than 30,000 commercial customers in the U.S. and overseas, including more than 25 percent of the Fortune 500.”

 

It remains to be seen whether the vetting for those 30,000 commercial customers rises to the standard of the vetting that gave us Edward Snowden.

 

To be continued

 

BOOZ ALLEN ETC and the Silver Line

BOOZ ALLEN ETC and the Silver Line

In a possible sign of the times, Corporate Counsel reports that references to cyber-security in SEC filings have gone up in the past year. Citing a white paper by the business intelligence firm Intelligicize, the article also reports that cybersecurity is referred to as a risk factor more by telecommunications companies than by any other kind of company, followed by computer and online services. References to antibribery measures also have increased in SEC filings. The SEC, meanwhile, is doing its bit to encourage whistleblowers against corporate fraud and abuses by giving a financial incentive, the annual Dodd-Frank whistleblower award; this year, three awardees will receive 5 percent each of $7.5 million.

 

Snowden

The recent case of 29-year-old Edward Snowden, employed by a major government contractor, who wielded cyber intrusions on a global scale and then revealed them, is a reminder that there are, of course, other problems besides fraud. Particularly in the realm of cybersecurity, what can go wrong will go wrong. When major contractors such as Booz Allen become Too Big to Expose, get to call the shots, and get hired to police their own work, what can go wrong will get ludicrous.

 

Billed as a watering hole for Wall Streeters

The company that hired Snowden for government work, paid for with federal tax dollars, is nothing loath to proclaim its ties with government. Under the heading “Who [sic] We Serve,” the company touts–along with its service to “foreign military programs of U.S. allies”–its services to the federal government, civilian and military, and to private firms in health, energy and financial services. (Telecommunications are not itemized in this short summary, although they have been referenced elsewhere.) Mentioning more specifically the Intelligence Community, the company boasts that “We serve the Director of National Intelligence, Undersecretary of Defense for Intelligence, National Intelligence and Civil Agencies, and Military Intelligence.”

It also serves all branches of the armed forces:

Army: “Booz Allen supports the Army, Army Reserves, and Army National Guard across the entire scope of responsibilities.”

Navy: “We assist Navy organizations from the Office of the Secretary of the Navy and Chief of Naval Operations to the Navy operating commands and systems commands.”

Air Force: “Serving Air Force headquarters and every major command, we work in areas as diverse as special operations, aircraft certification and accreditation, airborne networks, and next-generation C4ISR systems—always with an eye for maximizing Air Force investments.”

“In a fast-changing world of new threats and mission requirements, we help the Air Force be ready for what’s next.”

Marines: “We also assist organizations throughout the Marine Corps, including Marine Corps Headquarters, Combat Development Command, Training and Education Command, Special Operations Command, and Systems Command.”

Under civilian agencies, “The professionals at Booz Allen help civilian government agencies tackle their most complex challenges, such as reforming financial regulatory oversight, evolving our healthcare system, improving information sharing and mission integration among law enforcement organizations, strengthening cybersecurity, improving energy efficiency, supporting green building initiatives, and implementing our nation’s Next Generation Air Transportation System.”

 

Again, the point of these reminders is not that the Booz Allen and Snowden flap is just business as usual. These are fertile fields for improvement. The less qualified echelons in the defense and security contracting world should never have become effectively ensconced in government in the first place. These are not the types who sit alone and quiet for a meditative twenty minutes at night, thinking, Now, what did I do that I could have done better? And How can we improve on this for next time?

Booz Allen, to focus on the current name in the news, has not been trolling for customers only in the federal government. As the Project for Government Oversight among others reminds, the company is a major contractor at all levels of government–federal, state, local. While the company’s revenue and personnel numbers are down somewhat, it is still riding high–in related news, its CEO got a 47 percent pay hike in the most recent year–and its executives serve on the boards of foundations and non-profits all over Washington.

Despite the company’s famous connectedness, I was struck by the extent to which the new Silver Line track in D.C.’s expanding Metrorail system will benefit Booz Allen. The northern Virginia company’s headquarters are at 8283 Greensboro Drive, where it leases from an REIT through 2016. The location, as noted by one eagle-eye real estate observer, “is less than 500 feet from the future Tyson’s Central 7 Metrorail station, due for completion in 2013.” Tyson’s 7, otherwise known as the Greensboro station on the D.C. Metro line, is part of Fairfax County’s Dulles Corridor Metrorail Project. The station, which will connect Tysons Corner and vicinity to Dulles Airport as well as to the rest of metro D.C., is slated to open by the end of 2013. I called Metro (MWATA) to find out whether a more exact timetable is available, but was told by the media office am told to call the Metropolitan Washington Airports Authority (MWAA). Metro says, “They have not given over that project to us,” and “we can’t comment on deadlines,” time frame, etc. Metro will be operating the station, as with the rest of the Silver Line. MWAA’s 16-member board, including Chairman and Vice Chairman, includes seven Virginia representatives, appointed by Gov. Robert F. McDonnell (after a contentious restructuring), three members appointed by the governor of Maryland, four by the mayor of D.C., and two by the White House. Ongoing controversies include continuing Virginia push-back against hiring union members to perform work on the Silver Line or on the Dulles Corridor Project in any way.

Silver Line track work

Members of the Metropolitan Washington Airports Authority board  include former GOP candidate for state senate in Virginia Caren Dewitt Merrick, also a member of the non-profit Women in Technology (WIT). Women in Technology hosted one of its ‘Meet the Company’ events last week in Vienna, Va. The company featured was Booz Allen Hamilton. Merrick’s husband, Philip Merrick, is chairman and co-founder of VisualCV, Inc. His former COO at VisualCV was Doug Meadows, now a senior associate at Booz Allen Hamilton. Another of MWAA’s Virginia appointees is Bruce A. Gates, a senior vice president at Altria Group, corporate parent of giant cigarette company Philip Morris. Booz Allen’s connections with Altria are too extensive to list, counting personnel, donations, corporate sponsorships and board memberships; both Booz Allen and Altria are also involved in the Aspen Institute among numerous similar networks. The Greensboro drive property where Booz Allen is located is owned by the Washington Real Estate Investment Trust (WRIT), which does its own extensive corporate shoulder-rubbing and which stands to benefit on its real estate investment once Booz Allen’s massive expansion and improvements are completed.

 

Plan

The benefits to Booz Allen from Metrorail’s expansion are too obvious to need belaboring. Company employees can take Metro to work–obviously a good thing in itself–and  company clients can visit more easily and quickly flying in via Dulles Airport, while company personnel can also leave ditto. (A future Edward Snowden will have the Silver Line for quick get-away.) The enhanced property values on which the company sits carry their own cachet. Meanwhile, the company will also have the benefit of additional convenience for the mammoth Tysons development area, and for D.C. and its Maryland suburbs. Construction of the Silver Line, and the Dulles Corridor Project itself, were issues of heated contention in Virginia for years. Ironically, many if not most of their political opponents were opposed on pro-‘business’ and pro-‘private enterprise’ grounds.

BOOZ ALLEN ETC Continued

BOOZ ALLEN ETC Continued

 

Again, the point of the reminders below is not that the more things change, the more they stay the same. The point is that previous lessons need to be re-learned. Next-to-the-top echelons in the defense and security contracting world, effectively ensconced in government, do not tend to head for the door when an administration changes. The recent news that 29-year-old Edward Snowden, employed by a major government contractor, wielded global cyber intrusions and then revealed them is another reminder that we are still dealing with the problems.

 

At home in Washington

The NSA contractor, of course, is Booz Allen Hamilton, the giant ex-spooks and black-hats company with government ties at federal, state and local levels. With Snowden, the company deviated from its strengths, hiring not an ex-spook but a future spook who seems to have decided he had gotten onto the wrong career path. Again ironically, in light of recent events, Booz Allen’s services include monitoring other surveillance programs. The recent predictable problems are now part of a well established track record.

 

Snowden

Take the 2006 flap over Booz Allen’s monitoring the SWIFT project. This, to recap briefly, was the George W. Bush administration’s examination of records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), headquartered in Belgium. The government eyeballing gave the Bush administration access to millions of financial messages per day involving payments, securities transactions, etc., between thousands of banks and other financial entities around the world. SWIFT touted its safety and security as a financial messaging system. (For what it’s worth, Booz Allen itself uses SWIFT.) Such financial surveillance being too much for Wall Street to stomach even from a super-friendly administration, uproar ensued. Thus Booz Allen was said to be monitoring it. This was less than reassuring, to Wall Street as well as to the ACLU (linked above), given the contractor’s numerous and profitable ties to the feds it was supposed to oversee.

 

Vox populi

The ties were pointed out again in 2011 by, among others, Anonymous. The notorious cyber vigilantes gleefully hacked–wait for it–Booz Allen, apparently with ease, getting access to among other things thousands of military emails. Here for fun is Anonymous‘ own take on the exploit:


"Hello Thar!

Today we want to turn our attention to Booz Allen Hamilton, whose core business is contractual work completed on behalf of the US federal government, foremost on defense and homeland security matters, and limited engagements of foreign governments specific to U.S. military assistance programs.


So in this line of work you’d expect them to sail the seven proxseas with a state- of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge.


We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).


We also added the complete sqldump, compressed ~50mb, for a good measure. We also were able to access their svn, grabbing 4gb of source code. But this was deemed insignificant and a waste of valuable space, so we merely grabbed it, and wiped it from their system.”

No clarification yet on whether SWIFT or, for that matter, Booz Allen will be involved if complicated extradition proceedings get underway for Edward Snowden. But then exactly what material Snowden had access to in general has not been clarified–and presumably will not be. How much Snowden got from SWIFT specifically has also not been clarified. The footprint of the financial messaging service is large on the internet, given the nexus of the NSA, private contracting, and foreign policy. SWIFT was among the levers used against Iran.

 

Before SWIFT, there was TIP, or the Total Information Awareness program, run by Admiral John Poindexter, back in 2002. To recap very briefly, Booz Allen was also in this one up to the eyeballs (along with SAIC among others). The TIP or TIA program was short-lived because of the uproar–although one of its leading lights, Mike McConnell, stayed in the administration as George W. Bush’s second Director of National Intelligence, before returning to Booz Allen to serve as Senior Vice Chairman.

Summing up, ties between administrations and Booz Allen have been numerous and have been written about by a number of authors. The ties between Booz Allen, its brothers in arms in the contracting world, and the now-cyber-ghost-town PNAC, or Project for the New American Century, alone have been more than friendly. When PNAC-er Dov Zakheim left the Pentagon, in April 2004, he became a partner at Booz Allen. Former CIA director R. James Woolsey, another PNAC signatory, was a vice president at Booz Allen.

Thus signatories fervently bent, by their own hand, on war with Iraq rotated through the intelligence-security industry revolving door, to become part of a company frequently paid for monitoring intelligence and security work–including some of their own previous work.

The way a good corporate candidate for major contracts is chosen continues to baffle. One fundamental problem is the lack of protection against potential conflicts of interest. It is anomalous that a major military contractor and a major security contractor for the federal government could be given oversight or a supervisory role in surveillance conducted by the federal government. The potential conflict of interest is too large. Suppose, hypothetically, that the sifting through discloses some previous lapse by the contractor itself?

To be continued

 

BOOZ ALLEN ETC Continued

BOOZ ALLEN ETC Continued

 

The June 2013 news that Booz Allen Hamilton entrusted a 29-year-old disaffected cyber-geek with oxymoronic global secrets, stationed him in Hawaii, and placed him under the supervision apparently of his girlfriend, should come as a surprise. Instead it comes as part of a familiar pattern.

Ironies are too easy to find. To avoid belaboring the obvious, I’ll quote just one Booz Allen press release, this one from February 2013 headed “Booz Allen Hamilton Launches Cyber4Sight Threat Intelligence Services.” 

The gist:

“Booz Allen Hamilton today launched Cyber4Sight™ Threat Intelligence Services, which uses multiple data sources to identify and monitor an organization’s unique cyber security profile, determine its “attack surface,” and deploy military grade predictive intelligence to anticipate, prioritize and mitigate cyber threats 24/7. This anticipatory service produces real-time, practical indications and warnings so that commercial organizations can take defensive actions against cyber attacks long before they occur.”

Taking the PR statement at face value, one might be inclined to ask whether Booz Allen considered itself a commercial organization or whether “cyber attacks” include someone inside giving away the store. As said, too easy.

It’s the take-aways that matter. Among them, the following:

1) When you’re talking about the business of the U.S. government, every privatizing, off-shoring or outsourcing is potentially a security breach. This is particularly the case when the government contractors are extremely well-connected, and when the business involved–surveillance, cyber security, etc.–is extremely sensitive or top-secret. The potential intensifies when the contractor is a behemoth and starts to fall into the Too-Big-to-Expose category. These are not factors that enhance oversight, transparency and accountability. Anti-labor types should bear in mind that the ‘privatizing’ mindset that devalues loyalty in favor of big-bucks contracts opens the door to similar security breaches. As ever, when you work with a security firm, what’s on your computers is on their computers.

2) When people start thinking they are above or beyond the law, trouble looms. This principle should be obvious, maybe, but some obvious applications–as they say in R & D–seem not to have been developed. I am not talking so much about Edward Snowden here, as about the mentality that led his corporate employers to hire him. Snowden was not picked from a stack of resumes in Human Resources. He billed himself as special in ways that appeal to the anti-egghead echelon of executive leadership–a de-emphasis on time and labor, including time spent in school; a certain pride in skirting the rules or at least the guidelines, including valuable principles; and a devaluing of serious non-commercial education. Thus he walked in through a side door, figuratively located just the other side of Executive Men’s Toilet. They’re paying for it now.

3) Anti-‘government’ rhetoric is not a solution. ‘Small government’ types in certain circles are exactly the people building mega-billion corporate complexes, bulldozing the Bill of Rights at work and in the community, and then being breached in one way or another. In political circles and in finance circles and in military-and-security technology circles, ‘small government’ types are people simply asking for less supervision and more money for themselves, under the headings of ‘less government’ and ‘lower taxes.’ These are not people who tend to be reflective types, regularly questioning and examining their own motives, leaning over backward to give the other guy his due. Booz Allen Hamilton, one of the biggest contractors in Washington, benefiting from government at all levels–more on that later–donates copiously to politicians who shriek ‘less government’ and ‘lower taxes.’ “Smaller government”? From the corporate allies of our Chamber of Commerce? Typically they avidly solicit and receive contracts from Uncle Sam, to such an extent that the cyber-security sector has become one of the biggest harbors of corporate welfare.

4) Macho corporate swagger is not a solution. The bigger they come, the harder they fall. Not all of Booz Allen’s extensive ties in the intelligence community, the American military, civilian government agencies and beyond saved it from mistakes so elementary that, literally, many eighth-graders would have known enough to avoid them. The price of democracy is constant vigilance. That means not just state-of-the art technology, but a close eye on human values. Too much careerist games-playing is incompatible with genuine security.

These are all lessons repeatedly illustrated over recent decades and/or since the year 2000. The point, as previously written, is that previous lessons have not been learned thoroughly enough. The incoming Obama administration had a lot on its plate in January 2009, but it still needed to clean house thoroughly. Unfortunately, having ensconced private security and private ties to military capabilities in government at the highest levels, the national political establishment was little able to mitigate some of the problems.

Thus, as the Booz Allen press release has it,

“Today’s cyber threats are increasingly targeting corporations and governments to conduct industrial espionage, undermine business and financial operations and sabotage infrastructure. A perimeter defense alone is no longer sufficient protection–adversaries are too many, too fast and too sophisticated. Organizations need a new paradigm that combines real-time security resources with a rigorous method of mitigating cyber risks. Booz Allen has combined its deep functional cyber expertise from the intelligence community with its operational military experience to create Cyber4Sight.”

Potential ‘adversaries’ include, you might say, your own people who are less than entranced with many aspects of what you’re doing. Potentially that might encompass much of the United States population.

 

Going forward, there are questions to be addressed, humorous or otherwise:

Isn’t it possible to vet contractors to prevent giving more government contracts to–for example–a company with its own cyber-security problems?

Big Green

Is anyone moving to review Booz Allen Hamilton’s current federal contracts or other contracts, at least those involved with security, surveillance, or monitoring security or surveillance, etc?

Is anyone moving to reduce the shoulder-rubbing between government agencies and some of our extensively breached contractors?

State as well as federal

Back to that press release:

“Booz Allen’s Cyber4Sight provides clients–from banks to insurance companies to energy utilities–with anticipatory cyber threat intelligence that allows them to cultivate a proactive security posture, get ahead of an attack, assess risks and take appropriate actions to mitigate future attacks. Cyber4Sight combines the science of Big Data with the art of analysis and information gathering to give clients a holistic, forward-looking cyber security program. This service is the result of a significant multi-year investment Booz Allen has made to create an infrastructure that globally integrates data collection, aggregation and analysis and engages cyber analysts from a myriad of disciplines.”

Including high-school dropouts.

Leaving the Snowden matter aside–

As said before, due diligence should be routine in federal contracting. This is especially true in security. Aside from other measures, tightening up disclosure requirements for lobbying would help. It is not enough just to require ‘registered’ lobbyists to provide certain information. We need to require everyone who lobbies to ‘register.’

 

to be continued

BOOZ ALLEN ETC

BOOZ ALLEN ETC

The point of the re-posts below is not that the more things change, the more they stay the same. The point is that previous lessons have not been learned thoroughly enough. The incoming Obama administration had a lot on its plate in January 2009, but it still needed to clean house thoroughly.

 

January 2009 magazine cover

Unfortunately, the next-to-the-top echelons in the defense and security contracting world, effectively ensconced in government, had other ideas. We as a nation are still dealing with the problems.

Award-winning Booz Allen Hamilton, 2009

 

The re-posts below, on problems at security contractor HBGary, are just a small reminder of some of the problems still ongoing. More on these topics later.

 

Previously posted February 17, 2011:

HBGary trolling for customers in the federal government
–while helping the C of C take down ‘big government’

More corporate welfare, this time in the cybersecurity sector

One thing demonstrated conclusively by the massive cache of HBGary emails released on the Internet is that HBGary was highly, not to say avidly, soliciting and receiving contracts from Uncle Sam. They also demonstrate that genuine cybersecurity was not a first concern with the company.

“Smaller government”? From the cats allied with our Chamber of Commerce?

Not so much.

A few quick examples tell the story, swiftly plucked from the tens of thousands of emails linking—as we now know—a number of private corporations and our numerous intelligence agencies in government to a shysterly lobbying firm:

On Feb. 2, 2011, the U.S. Department of Justice’s program manager at the InfoSec Technologies (IST) Team of the DOJ I.T. Security Staff emailed a reminder to 34 personnel in eight federal agencies, six private companies including HBGary, and an association. (The links are now down but were accessible yesterday [Feb. 16, 2011].)

The reminder was, ironically, that “The DOJ Cybersecurity Conference will be held February 8-9, 2011, at the Walter E. Washington Convention Center in Washington, D.C.,” and reassured “All” that “Prior to and during the conference, we will be working with the conference speakers to ensure they have everything they need in their respective session rooms.”

Questions placed with the Department of Justice Office of Public Affairs have not been replied to. A phone call to the DOJ requesting comment has not been returned.

Shortly before this ironic cybersecurity event, aggressive presenter HBGary was hacked, and tens of thousands of emails exchanged among these black-hat holes-in-the-heads and their customers, including federal customers, were released.

 

HBGary

The conference had, as ever, government facilitators paid with [federal] tax dollars:

“In preparation for the conference, we are asking the speakers to submit their presentations to me by Friday, February 14th. The presentations will then be loaded onto the laptops in each of the presentation rooms.”

 

Memo to all, in the security sector or not, to engrave over the door: When you work with a security firm, what’s on your computers is on their computers 
The Feb. 2 email continues,

“When submitting your presentation, please indicate if any special equipment or computer networking is needed for the presentation. Also, please indicate if your presentation can be made publicly available to participants following the completion of the conference.”

Federal personnel on this email list work in the Department of Justice, the FBI, the U.S. Army, State, the Office of Personnel Management, the National Institute of Standards and Technology (NIST), the Department of Homeland Security, and the U.S. Computer Emergency Readiness Team (CERT).

Private companies besides HBGary included GE, Dell, PWC, Mandiant, and MK Won Associates.

For context, be it noted that this email from our Justice department was sent to among others Aaron Barr at the HBGary firm, recently infamous. As seen, the immediate topic is an upcoming conference on cybersecurity, at which HBGary was to pitch its products and services to IT professionals across government.

 

Barr

Some obvious questions:

1) Would we really want HBGary to get more government contracts, given its own problems with cybersecurity?

2) Are HBGary’s current federal contracts under review, given recent events including the hack itself and the exposed actions by the company?

3) Is the Justice department or the White House really going to give HBGary a pass on its amply documented actions, misfeasance or malfeasance, including proposals for surveillance and ‘dirty tricks’ against critics of the Chamber of Commerce and/or HBGary clients, simply because HBGary emails were released?

4) Isn’t it better for the public interest that these massive security breaches have been exposed?

And more.

 

One positive recommendation to come away from: Sagging economy or not, due diligence–i.e. close examination of the company itself—should be routine in federal contracting. This is especially true in security. The weaknesses in HBGary’s own tech component have been amply revealed by now. As Naked Security and Ars Technica discuss, just about everything Aaron Barr in particular was doing on computers was readily breachable. One problem seems to be that Barr and his cohorts were at least as interested in selling as in providing. (Hands slapping foreheads in disbelief—a nation draws its breath—You think!?)

Too much games playing, too little security.

Notwithstanding the obvious humor, this enormous matter is also grave. Genuine issues of public safety and public health could be affected by similar security breaches, and a large part of the problem stems from that same old ‘privatizing’ mindset that devalues loyalty in favor of big-bucks contracts.

At present it seems unlikely that the GOP in Congress will be hotly investigating this matter.

Note: The numerous federal offices on the mailing list referred to above are far from HBGary’s only government intelligence contacts or IC customers. As the HBGary emails reveal, the company was also interested at the very least in applying to the Intelligence Advanced Research Projects Activity (IARPA).

 

The company also had a presentation for the CIA, long in the works. While not evincing much concern about the quality of their security, Barr and his cohorts expressed concern about the quality of the presentation:

“It’s just under an hour long, hope its not too boring 🙂 –
the idea that social networking is intimate with cyber security is a new concept and very accurate.”

As said, ridicule aside, this is an issue that goes beyond one company.

Regarding HBGary and its proposals, Think Progress is on this bigtime:

“ThinkProgress has learned that a law firm representing the U.S. Chamber of Commerce, the big business trade association representing ExxonMobil, AIG, and other major international corporations, is working with set of “private security” companies and lobbying firms to undermine their political opponents, including ThinkProgress, with a surreptitious sabotage campaign.

According to e-mails obtained by ThinkProgress, the Chamber hired the lobbying firm Hunton and Williams. Hunton And Williams’ attorney Richard Wyatt, who once represented Food Lion in its infamous lawsuit against ABC News, was hired by the Chamber in October of last year. To assist the Chamber, Wyatt and his associates, John Woods and Bob Quackenboss, solicited a set of private security firms—HB Gary Federal, Palantir, and Berico Technologies (collectively called Team Themis)—to develop tactics for damaging progressive groups and labor unions, in particular ThinkProgress, the labor coalition called Change to Win, the SEIU, US Chamber Watch, and StopTheChamber.com.”

 

Glenn Greenwald at Salon, one of the targets of HBGary’s bright idea of dirty tricks, has this rundown.

 

NEXT

 

Previously posted Feb. 18, 2011:

As previously posted, the enormous cache of emails from and to cybersecurity firm HBGary reveals extensive ties to government agencies. The public stance by the Chamber of Commerce among other HBGary clients against ‘big government’ belies the firm’s willingness to treat our federal agencies, which arguably have a legitimate security interest, as Uncle Sugar.

First off, however–and not to make excessive light of a serious topic–it is undeniably humorous to see how a bunch of swaggering black-hatters react when they start becoming aware that their own security shortcomings are being ventilated. Gradually the light begins to dawn: The guys with the black hats may have to get out of Dodge.

More seriously–No word yet on when, or whether, HBGary alerted its clients inside our federal intelligence community, after becoming aware that its accounts were compromised. In a Sun. Feb. 6, 2011, email with the subject line “Now we are being directly threatened,” Aaron Barr says “I will bring this up with FBI when I meet with them tomorrow,” but out of context the line sounds as much like bluster as anything else. Possibly HBGary may have retained a touching faith to the bitter end, partly based on encouraging feelers put out by CBS’ Sixty Minutes, that the FBI would join with the biggest lobbyists in the corporate world and go after those malefactors at Anonymous.
No word yet on whether Sixty Minutes will do a segment on how Anonymous hacked HBGary, having initially approached the topic from the other end. Be it noted that even while salivating over the free publicity of a Sixty Minutes interview, the company was ridiculing CBS’ Katie Couric and Bryant Gumbel behind the scenes by circulating a video clip from 1994.

The Department of Justice has not yet responded to questions about DOJ deals with HBGary, but the ties appear to have been rather friendly.

The firm was establishing a similarly warm relationship with the U.S. military, as displayed in more than one string of emails.

That the relationship was ongoing rather than a casual fling is corroborated by the fact that some personnel at HBGary organized themselves for financial purposes as “HBGary Federal LLC.”

Along with the contracts themselves, our federal agencies also benefited this cybersecurity firm by providing venues where it could rub shoulders with some of the globe’s biggest black-hatters, including SAIC. Regrettably, SAIC is also another major federal contractor, thus extending the potential for security breaches even farther into government. Admittedly it is possible that SAIC has been savvy enough to avoid hiring someone who, like Aaron Barr, would use the same password for all his/her accounts.

Speaking of bigtime contractors, one of the ways HBGary was going to combat the threat posed by its hacking–having finally seen it coming, from a foot away–was by meeting with Booz Allen. Booz Allen has had extensive and deeply rooted ties with the IC and has reaped highly lucrative returns from the relationship.

 

In any case, only one email seen by this writer suggests a hint of concern in the larger interest, stemming from the company’s security breach.

At the risk of repetition, it is worth noting once again that privatizing, outsourcing, and offshoring pose manifold risks to domestic security as well as to the economy.

As one political science professor comments, “The public knows almost nothing about the extent of consulting on the public dole.”

To be continued