BOOZ ALLEN ETC
The point of the re-posts below is not that the more things change, the more they stay the same. The point is that previous lessons have not been learned thoroughly enough. The incoming Obama administration had a lot on its plate in January 2009, but it still needed to clean house thoroughly.
Unfortunately, the next-to-the-top echelons in the defense and security contracting world, effectively ensconced in government, had other ideas. We as a nation are still dealing with the problems.
The re-posts below, on problems at security contractor HBGary, are just a small reminder of some of the problems still ongoing. More on these topics later.
Previously posted February 17, 2011:
HBGary trolling for customers in the federal government
–while helping the C of C take down ‘big government’
More corporate welfare, this time in the cybersecurity sector
One thing demonstrated conclusively by the massive cache of HBGary emails released on the Internet is that HBGary was highly, not to say avidly, soliciting and receiving contracts from Uncle Sam. They also demonstrate that genuine cybersecurity was not a first concern with the company.
“Smaller government”? From the cats allied with our Chamber of Commerce?
Not so much.
A few quick examples tell the story, swiftly plucked from the tens of thousands of emails linking—as we now know—a number of private corporations and our numerous intelligence agencies in government to a shysterly lobbying firm:
On Feb. 2, 2011, the U.S. Department of Justice’s program manager at the InfoSec Technologies (IST) Team of the DOJ I.T. Security Staff emailed a reminder to 34 personnel in eight federal agencies, six private companies including HBGary, and an association. (The links are now down but were accessible yesterday [Feb. 16, 2011].)
The reminder was, ironically, that “The DOJ Cybersecurity Conference will be held February 8-9, 2011, at the Walter E. Washington Convention Center in Washington, D.C.,” and reassured “All” that “Prior to and during the conference, we will be working with the conference speakers to ensure they have everything they need in their respective session rooms.”
Questions placed with the Department of Justice Office of Public Affairs have not been replied to. A phone call to the DOJ requesting comment has not been returned.
Shortly before this ironic cybersecurity event, aggressive presenter HBGary was hacked, and tens of thousands of emails exchanged among these black-hat holes-in-the-heads and their customers, including federal customers, were released.
The conference had, as ever, government facilitators paid with [federal] tax dollars:
“In preparation for the conference, we are asking the speakers to submit their presentations to me by Friday, February 14th. The presentations will then be loaded onto the laptops in each of the presentation rooms.”
Memo to all, in the security sector or not, to engrave over the door: When you work with a security firm, what’s on your computers is on their computers
The Feb. 2 email continues,
“When submitting your presentation, please indicate if any special equipment or computer networking is needed for the presentation. Also, please indicate if your presentation can be made publicly available to participants following the completion of the conference.”
Federal personnel on this email list work in the Department of Justice, the FBI, the U.S. Army, State, the Office of Personnel Management, the National Institute of Standards and Technology (NIST), the Department of Homeland Security, and the U.S. Computer Emergency Readiness Team (CERT).
Private companies besides HBGary included GE, Dell, PWC, Mandiant, and MK Won Associates.
For context, be it noted that this email from our Justice department was sent to among others Aaron Barr at the HBGary firm, recently infamous. As seen, the immediate topic is an upcoming conference on cybersecurity, at which HBGary was to pitch its products and services to IT professionals across government.
Some obvious questions:
1) Would we really want HBGary to get more government contracts, given its own problems with cybersecurity?
2) Are HBGary’s current federal contracts under review, given recent events including the hack itself and the exposed actions by the company?
3) Is the Justice department or the White House really going to give HBGary a pass on its amply documented actions, misfeasance or malfeasance, including proposals for surveillance and ‘dirty tricks’ against critics of the Chamber of Commerce and/or HBGary clients, simply because HBGary emails were released?
4) Isn’t it better for the public interest that these massive security breaches have been exposed?
One positive recommendation to come away from: Sagging economy or not, due diligence–i.e. close examination of the company itself—should be routine in federal contracting. This is especially true in security. The weaknesses in HBGary’s own tech component have been amply revealed by now. As Naked Security and Ars Technica discuss, just about everything Aaron Barr in particular was doing on computers was readily breachable. One problem seems to be that Barr and his cohorts were at least as interested in selling as in providing. (Hands slapping foreheads in disbelief—a nation draws its breath—You think!?)
Too much games playing, too little security.
Notwithstanding the obvious humor, this enormous matter is also grave. Genuine issues of public safety and public health could be affected by similar security breaches, and a large part of the problem stems from that same old ‘privatizing’ mindset that devalues loyalty in favor of big-bucks contracts.
At present it seems unlikely that the GOP in Congress will be hotly investigating this matter.
Note: The numerous federal offices on the mailing list referred to above are far from HBGary’s only government intelligence contacts or IC customers. As the HBGary emails reveal, the company was also interested at the very least in applying to the Intelligence Advanced Research Projects Activity (IARPA).
The company also had a presentation for the CIA, long in the works. While not evincing much concern about the quality of their security, Barr and his cohorts expressed concern about the quality of the presentation:
“It’s just under an hour long, hope its not too boring 🙂 –
the idea that social networking is intimate with cyber security is a new concept and very accurate.”
As said, ridicule aside, this is an issue that goes beyond one company.
“ThinkProgress has learned that a law firm representing the U.S. Chamber of Commerce, the big business trade association representing ExxonMobil, AIG, and other major international corporations, is working with set of “private security” companies and lobbying firms to undermine their political opponents, including ThinkProgress, with a surreptitious sabotage campaign.
According to e-mails obtained by ThinkProgress, the Chamber hired the lobbying firm Hunton and Williams. Hunton And Williams’ attorney Richard Wyatt, who once represented Food Lion in its infamous lawsuit against ABC News, was hired by the Chamber in October of last year. To assist the Chamber, Wyatt and his associates, John Woods and Bob Quackenboss, solicited a set of private security firms—HB Gary Federal, Palantir, and Berico Technologies (collectively called Team Themis)—to develop tactics for damaging progressive groups and labor unions, in particular ThinkProgress, the labor coalition called Change to Win, the SEIU, US Chamber Watch, and StopTheChamber.com.”
Glenn Greenwald at Salon, one of the targets of HBGary’s bright idea of dirty tricks, has this rundown.
Previously posted Feb. 18, 2011:
As previously posted, the enormous cache of emails from and to cybersecurity firm HBGary reveals extensive ties to government agencies. The public stance by the Chamber of Commerce among other HBGary clients against ‘big government’ belies the firm’s willingness to treat our federal agencies, which arguably have a legitimate security interest, as Uncle Sugar.
First off, however–and not to make excessive light of a serious topic–it is undeniably humorous to see how a bunch of swaggering black-hatters react when they start becoming aware that their own security shortcomings are being ventilated. Gradually the light begins to dawn: The guys with the black hats may have to get out of Dodge.
More seriously–No word yet on when, or whether, HBGary alerted its clients inside our federal intelligence community, after becoming aware that its accounts were compromised. In a Sun. Feb. 6, 2011, email with the subject line “Now we are being directly threatened,” Aaron Barr says “I will bring this up with FBI when I meet with them tomorrow,” but out of context the line sounds as much like bluster as anything else. Possibly HBGary may have retained a touching faith to the bitter end, partly based on encouraging feelers put out by CBS’ Sixty Minutes, that the FBI would join with the biggest lobbyists in the corporate world and go after those malefactors at Anonymous.
No word yet on whether Sixty Minutes will do a segment on how Anonymous hacked HBGary, having initially approached the topic from the other end. Be it noted that even while salivating over the free publicity of a Sixty Minutes interview, the company was ridiculing CBS’ Katie Couric and Bryant Gumbel behind the scenes by circulating a video clip from 1994.
The Department of Justice has not yet responded to questions about DOJ deals with HBGary, but the ties appear to have been rather friendly.
That the relationship was ongoing rather than a casual fling is corroborated by the fact that some personnel at HBGary organized themselves for financial purposes as “HBGary Federal LLC.”
Along with the contracts themselves, our federal agencies also benefited this cybersecurity firm by providing venues where it could rub shoulders with some of the globe’s biggest black-hatters, including SAIC. Regrettably, SAIC is also another major federal contractor, thus extending the potential for security breaches even farther into government. Admittedly it is possible that SAIC has been savvy enough to avoid hiring someone who, like Aaron Barr, would use the same password for all his/her accounts.
Speaking of bigtime contractors, one of the ways HBGary was going to combat the threat posed by its hacking–having finally seen it coming, from a foot away–was by meeting with Booz Allen. Booz Allen has had extensive and deeply rooted ties with the IC and has reaped highly lucrative returns from the relationship.
In any case, only one email seen by this writer suggests a hint of concern in the larger interest, stemming from the company’s security breach.
At the risk of repetition, it is worth noting once again that privatizing, outsourcing, and offshoring pose manifold risks to domestic security as well as to the economy.
As one political science professor comments, “The public knows almost nothing about the extent of consulting on the public dole.”
To be continued