Keith Alexander recently made the move to the private sphere, yet he remains in the spotlight as much now as he was before: chatting it up with news outlets like CNN, comedy shows like HBO's Last Week Tonight with John Oliver, and trade groups where he's reportedly selling his former-head-of-the-NSA expertise, through his consulting firm IronNet Cybersecurity Inc., for as much as $1 million a month.

But despite the new job title, the rhetoric hasn't changed much.
“What I’m concerned about is we’re going to have a 9/11 in cyberspace,” Alexander said.
We can toss that quote into the already overflowing bucket of make-you-want-to-build-a-bomb-shelter-and-hide-from-the-world statements around cybercrime:
  • Alexander previously called cybercrime "the greatest transfer of wealth in history" and gave the critical infrastructure of the U.S. a grade of 3 out of 10.
  • In 2012 Defense Secretary Leon E. Panetta famously warned of a “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability."
  • Security-related companies like IID love making attention grabbing headlines like we will soon "witness the first ever public case of murder via hacked Internet-connected device" and the Internet of Things means "malicious hackers will have the power to provoke chaos inside your home, burning your house down by hacking your oven to flood your house with gas and ignite it."
Everyone seems keen on connecting the dots from cyber-attack to death.

Moving Beyond the Warm Fuzzies

Fear is a great motivator for sales, as we've discussed in the past here on HackSurfer.
Play up the danger, then offer a warm, fuzzy blanket that solves the problem. That's why some have argued antivirus actually makes the world less safe. Not because it physically makes a computer less secure, but because it's so often been portrayed (intentionally?) to the average joe as the only thing needed, making people's actions less safe.
Just $39.99 and you'll be safe. Go ahead: click, download, open anything you want. You're safe and protected.
As Alexander walks through the that revolving door, it seems as if everything's going one step further on that front.
Bea Edwards, the executive and international director of the Government Accountability Project, weighed in on Friday:
Looking at this arrangement objectively, it seems fishy. For a price, the General can tell you pretty accurately what a sophisticated cyber attacker can do to your database. He knows this because he managed these attacks. Consequently, for another pantload of payments, IronNet Cybersecurity Inc. will tell you how to fend off these assaults. The revolving generals and bankers can appropriate the products of our publicly-funded cyber research and development and deploy it for the financial world for a steep (privately collected) price.

In the person of Keith Alexander, we're seeing the de facto merger of corporate financial power and government overreach. Some subset of corporations is paid to develop the cyber attack and defense capability of the US government, and another subset pays the graduates of the contracting agencies (the NSA and USCYBERCOM) for an inside route to the technology.

All of this is conducted behind the veil of the War on Terror, an increasingly profitable funding vehicle for those well-placed to hop on board.

David vs. Goliath


When it comes a game-changing event – a cyber Pearl Harbor or 9/11 – one could argue that we've already seen quite a few. Flash back six months to just after the Target breach and we were having this conversation over huge breaches.
  • Adobe confirms it has notified 38 million users that encrypted data, including credit card data, may have been compromised. Brian Krebs reports that number may be as high as 150 million.
  • In addition to the 40 million payment cards and information on up to another 70 million customers stolen at Target, other retailers were compromised including Neiman Marcus and Michaels – maybe a third of the U.S. population.
  • 16 million email addresses, user names and passwords may have been stolen – 20% of the German population.
  • One person in South Korea, a contractor with the Korea Credit Bureau, is alleged to have stolen the personal data of 20 million citizens – 40% of the population.
  • Ebay tells 145 million users to change their passwords.
That's just a handful of breaches from the past six months or so.
Combine the end-of-the-world rhetoric with a number of massive breaches dominating the news and affecting huge segments of the population, and it's leading to another problem identified by SurfWatch Labs' data analysts:
Distorted sense of data breach severity in the sector - The recent volume of large attacks coupled with constant media coverage threatens to create a high reaction threshold to retail data breaches; even if a breach does not compromise millions of cards and garner front-page national news, it is still a serious incident which will decrease customer confidence and hurt business.
Despite all the "awareness" from the past year, the media's focus on these large breaches can easily push small and medium businesses to believe they've been right all along; it is only large businesses being targeted, and cybersecurity can remain on the back burner.
And despite the best intentions of people like Alexander, who I have to believe are far more knowledgeable than me and are likely trying to create more awareness on this issue, the rhetoric is actually doing the opposite in some cases – reinforcing for many what they've always thought: cybersecurity is too big and too confusing and a problem that is beyond them.
Much has been made of the awareness created around cybercrime in 2013. The hope was in 2014 that awareness would translate into action. For many reasons, we're still waiting.