The NSA’s Cyber-King Goes Corporate

Keith Alexander, the recently retired director of the National Security Agency, left many in Washington slack-jawed when it was reported that he might charge companies up to $1 million a month to help them protect their computer networks from hackers. What insights or expertise about cybersecurity could possibly justify such a sky-high fee, some wondered, even for a man as well-connected in the military-industrial complex as the former head of the nation’s largest intelligence agency?

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and "unique" approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March. But the technology is also directly informed by the years of experience Alexander has had tracking hackers, and the insights he gained from classified operations as the director of the NSA, which give him a rare competitive advantage over the many firms competing for a share of the cybersecurity market.

The fact that Alexander is building what he believes is a new kind of technology for countering hackers hasn’t been previously reported. And it helps to explain why he feels confident in charging banks, trade associations, and large corporations millions of dollars a year to keep their networks safe. Alexander said he’ll file at least nine patents, and possibly more, for a system to detect so-called advanced persistent threats, or hackers who clandestinely burrow into a computer network in order to steal secrets or damage the network itself. It was those kinds of hackers who Alexander, when he was running the NSA, said were responsible for "the greatest transfer of wealth in American history" because they were routinely stealing trade secrets and competitive information from U.S. companies and giving it to their competitors, often in China.

Alexander is believed to be the first ex-director of the NSA to file patents on technology that’s directly related to the job he had in government. He said that he had spoken to lawyers at the NSA, and privately, to ensure that his new patents were "ironclad" and didn’t rely on any work that he’d done for the agency — which still holds the intellectual property rights to other technology Alexander invented while he ran the agency.

Alexander is on firm legal ground so long as he can demonstrate that his invention is original and sufficiently distinct from any other patented technologies. Government employees are allowed to retain the patents for technology they invent while working in public service, but only under certain conditions, patent lawyers said. If an NSA employee’s job, for instance, is to research and develop new cybersecurity technologies or techniques, then the government would likely retain any patent, because the invention was directly related to the employee’s job. However, if the employee invented the technology on his own time and separate from his core duties, he might have a stronger argument to retain the exclusive rights to the patent.

"There is no easy black-and-white answer to this," said Scott Felder, a partner with the law firm Wiley Rein LLP in Washington, adding that it’s not uncommon for government employees to be granted patents to their inventions.

A source familiar with Alexander’s situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

But Alexander started his company almost immediately after stepping down from the NSA. As for how much the highly classified knowledge in his head influenced his latest creation, only Alexander knows.

In the interview, Alexander insisted that the cybersecurity technology he’s inventing now is distinct enough from his work at the NSA that he can file for new patents — and reap all the benefits that come with them. A patent prohibits any other individual, company, or government agency from using the underlying invention without a license from the patent holder.

But even if Alexander’s new technology is legally unique, it is shaped by the nearly nine years he spent running an intelligence colossus. He was the longest-serving director in the history of the NSA and the first commander of the U.S. Cyber Command, responsible for all cybersecurity personnel — defensive and offensive — in the military and the Defense Department. From those two perches, Alexander had access to the government’s most highly classified intelligence about hackers trying to steal U.S. secrets and disable critical infrastructure, such as the electrical power grid. Indeed, he helped to invent new techniques for finding those hackers and filed seven patents on cybersecurity technologies while working for the NSA.

Alexander used his influence to warn companies that they were blind to cyberthreats that only the NSA could see, and that unless they accepted his help, they risked devastating losses. Alexander wanted to install monitoring equipment on financial companies’ websites, but he was rebuffed, according to financial executives who took part in the discussions. His attempts to make the NSA a cyber-watchdog on corporate networks were seen as a significant intrusion by government into private business.

Few, if any, independent inventors have seen such detailed, classified information about the way hackers work and what classified means the government has developed to fight them, all of which gives Alexander a competitive advantage in his new life as a businessman. That insider knowledge has raised eyebrows on Capitol Hill, where Rep. Alan Grayson (D-Fla.) has publicly questioned whether Alexander is effectively selling classified information in exchange for his huge consulting fee. (Bloomberg reported that the figure dropped to $600,000 after the $1 million figure raised hackles in Washington and among computer-security experts.)

Alexander said that his new approach is different than anything that’s been done before because it uses "behavioral models" to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots. Only the market will tell whether his approach is as novel as he claims. (One former national security official with decades of experience in security technology, and who asked to remain anonymous, said the behavioral-model approach is highly speculative and has never been used successfully.)

The former NSA chief said that IronNet has already signed contracts with three companies — which he declined to name — and that he hopes to finish testing the system by the end of September.

"We’ve got a great solution. We’ve got to prove that it works," Alexander said. "It will be another way of looking at cybersecurity that gives us greater capabilities than we’ve had in the past."

Asked why he didn’t share this new approach with the federal government when he was in charge of protecting its most important computer systems, Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

Alexander said that if he determines that he needs to use technology or methods that the NSA has patented, he will pay for a license, including for anything he helped to invent while he was in office and for which he doesn’t own the rights. During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an "end-to-end cybersecurity solution." Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn’t describe in detail given the sensitive nature of the work, involved "a line of thought about how you’d systematically do cybersecurity in a network."

That sounds hard to distinguish from Alexander’s new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will "jump" ahead of the technology that’s now being used in government and in the private sector.

Alexander said he was persuaded to start a security business and apply for patents after hearing from potential customers, including company executives, who said they were worried about hackers who could steal or even erase the proprietary data on their companies’ computers. Alexander said they were particularly worried about threats like the Wiper virus, a malicious computer program that targeted the Iranian Oil Ministry in April 2012, erasing files and data.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA — while Alexander was in charge — in cooperation with Israeli intelligence. The program disabled centrifuges in a nuclear plant in Iran in a classified operation known as Olympic Games. The United States has never acknowledged its involvement.

The United States isn’t the only government capable of building data-erasing malware. Iran is building a formidable cyber-army, U.S. intelligence officials say, and is believed to be behind a 2012 attack on an oil company in Saudi Arabia that erased data from more than 30,000 computers. Iranian hackers also launched a series of cyberattacks on major U.S. bank websites the same year, intelligence officials say. The strike took Washington by surprise because it was so sophisticated and aggressive. The hackers hijacked data centers consisting of thousands of computers each and used them to flood the bank websites with digital traffic, causing them to crash.