from the say-what-now? dept

The Keith Alexander story just keeps getting more and more bizarre. Almost immediately after retiring from the top position at the NSA, where he oversaw the total failure of the NSA’s supposed “100% auditing” system, allowing Ed Snowden (and who knows how many others) to escape with all sorts of documents, Alexander announced that he had set up a cybersecurity firm— with the ridiculously Hollywood-ish name of IronNet Cybersecurity. A month ago, it was revealed that he’s going around asking banks to pay him $1 million per month for his “expertise.” That caused a few to wonder if he’s selling classified info, because really, what else could he offer?

Alexander has a new answer: Patents! Yes, Keith Alexander is claiming that he has an amazing new anti-hacker technique that is brilliant and wonderful and deserving of at least nine patents. According to Shane Harris over at Foreign Policy:

Alexander said he’ll file at least nine patents, and possibly more, for a system to detect so-called advanced persistent threats, or hackers who clandestinely burrow into a computer network in order to steal secrets or damage the network itself. It was those kinds of hackers who Alexander, when he was running the NSA, said were responsible for “the greatest transfer of wealth in American history” because they were routinely stealing trade secrets and competitive information from U.S. companies and giving it to their competitors, often in China.

Of course, this leads to all sorts of questions. If Alexander had such a brilliant, patentable solution for stopping hackers, why didn’t he, you know, use it while he was at the NSA. His response? He and an unnamed “partner” just came up with it in the last couple months after leaving office:

Asked why he didn’t share this new approach with the federal government when he was in charge of protecting its most important computer systems, Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

The report also notes that Alexander is a named inventor on seven patent applications filed while he was at the NSA (the US government keeps those), but that these new ones are totally separate.

Now, it is entirely possible that Alexander and his partner magically came up with some new way to deal with cybersecurity — though I’m skeptical. Cybersecurity work involves an awful lot of trial and error in the real world, and Alexander is insisting already that his “fundamentally new approach” will “jump” ahead of existing technology. That’s a bold claim for someone who hasn’t ever actually done work in the commercial field. One thing that we’ve pointed out for years, is that people who have no experience in actually building a technology business almost always overvalue the idea, and undervalue the execution. It certainly looks like Alexander is doing exactly that. He thinks that based on the idea alone — which is totally unproven — he’s worth $1 million per month. He claims three companies have already paid up, though he doesn’t say who (or how much they’re really paying). It seems likely that any actual payments are more because of Alexander’s connections, rather than his brilliant “idea.”

Harris spoke to another expert who notes that the approach Alexander is talking about (behavioral modeling) is one that’s been talked about and tried for years without success. In other words, it’s a perfect example of where ideas sound good, but execution matters. And yet, Alexander insists that his ideas alone — which haven’t been proven yet (and on which he hasn’t even filed these supposed patents) — are so amazing that they will change the nature of cybersecurity?

When Harris asks for more detail about the solution, Alexander wouldn’t tell him any more “given the sensitive nature of the work.” Except, of course, if he’s filing patents on it, the details are supposed to be revealed the public in fairly short order (18 months at most). And, really, if the solution is so great, they should be getting it out there and testing it. Security by obscurity is not the best proving ground. Actually having your solution tested is.

About The Author

Shopping Cart