BOOZ ALLEN ETC Continued
The June 2013 news that Booz Allen Hamilton entrusted a 29-year-old disaffected cyber-geek with oxymoronic global secrets, stationed him in Hawaii, and placed him under the supervision apparently of his girlfriend, should come as a surprise. Instead it comes as part of a familiar pattern.
Ironies are too easy to find. To avoid belaboring the obvious, I’ll quote just one Booz Allen press release, this one from February 2013 headed “Booz Allen Hamilton Launches Cyber4Sight Threat Intelligence Services.”
The gist:
““Booz Allen Hamilton today launched Cyber4Sight™ Threat Intelligence Services, which uses multiple data sources to identify and monitor an organization’s unique cyber security profile, determine its “attack surface,” and deploy military grade predictive intelligence to anticipate, prioritize and mitigate cyber threats 24/7. This anticipatory service produces real-time, practical indications and warnings so that commercial organizations can take defensive actions against cyber attacks long before they occur.”
Taking the PR statement at face value, one might be inclined to ask whether Booz Allen considered itself a commercial organization or whether “cyber attacks” include someone inside giving away the store. As said, too easy.
It’s the take-aways that matter. Among them, the following:
1) When you’re talking about the business of the U.S. government, every privatizing, off-shoring or outsourcing is potentially a security breach. This is particularly the case when the government contractors are extremely well-connected, and when the business involved–surveillance, cyber security, etc.–is extremely sensitive or top-secret. The potential intensifies when the contractor is a behemoth and starts to fall into the Too-Big-to-Expose category. These are not factors that enhance oversight, transparency and accountability. Anti-labor types should bear in mind that the ‘privatizing’ mindset that devalues loyalty in favor of big-bucks contracts opens the door to similar security breaches. As ever, when you work with a security firm, what’s on your computers is on their computers.
2) When people start thinking they are above or beyond the law, trouble looms. This principle should be obvious, maybe, but some obvious applications–as they say in R & D–seem not to have been developed. I am not talking so much about Edward Snowden here, as about the mentality that led his corporate employers to hire him. Snowden was not picked from a stack of resumes in Human Resources. He billed himself as special in ways that appeal to the anti-egghead echelon of executive leadership–a de-emphasis on time and labor, including time spent in school; a certain pride in skirting the rules or at least the guidelines, including valuable principles; and a devaluing of serious non-commercial education. Thus he walked in through a side door, figuratively located just the other side of Executive Men’s Toilet. They’re paying for it now.
3) Anti-‘government’ rhetoric is not a solution. ‘Small government’ types in certain circles are exactly the people building mega-billion corporate complexes, bulldozing the Bill of Rights at work and in the community, and then being breached in one way or another. In political circles and in finance circles and in military-and-security technology circles, ‘small government’ types are people simply asking for less supervision and more money for themselves, under the headings of ‘less government’ and ‘lower taxes.’ These are not people who tend to be reflective types, regularly questioning and examining their own motives, leaning over backward to give the other guy his due. Booz Allen Hamilton, one of the biggest contractors in Washington, benefiting from government at all levels–more on that later–donates copiously to politicians who shriek ‘less government’ and ‘lower taxes.’ “Smaller government”? From the corporate allies of our Chamber of Commerce? Typically they avidly solicit and receive contracts from Uncle Sam, to such an extent that the cyber-security sector has become one of the biggest harbors of corporate welfare.
4) Macho corporate swagger is not a solution. The bigger they come, the harder they fall. Not all of Booz Allen’s extensive ties in the intelligence community, the American military, civilian government agencies and beyond saved it from mistakes so elementary that, literally, many eighth-graders would have known enough to avoid them. The price of democracy is constant vigilance. That means not just state-of-the art technology, but a close eye on human values. Too much careerist games-playing is incompatible with genuine security.
These are all lessons repeatedly illustrated over recent decades and/or since the year 2000. The point, as previously written, is that previous lessons have not been learned thoroughly enough. The incoming Obama administration had a lot on its plate in January 2009, but it still needed to clean house thoroughly. Unfortunately, having ensconced private security and private ties to military capabilities in government at the highest levels, the national political establishment was little able to mitigate some of the problems.
Thus, as the Booz Allen press release has it,
“Today’s cyber threats are increasingly targeting corporations and governments to conduct industrial espionage, undermine business and financial operations and sabotage infrastructure. A perimeter defense alone is no longer sufficient protection–adversaries are too many, too fast and too sophisticated. Organizations need a new paradigm that combines real-time security resources with a rigorous method of mitigating cyber risks. Booz Allen has combined its deep functional cyber expertise from the intelligence community with its operational military experience to create Cyber4Sight.”
Potential ‘adversaries’ include, you might say, your own people who are less than entranced with many aspects of what you’re doing. Potentially that might encompass much of the United States population.
Going forward, there are questions to be addressed, humorous or otherwise:
Isn’t it possible to vet contractors to prevent giving more government contracts to–for example–a company with its own cyber-security problems?
Is anyone moving to review Booz Allen Hamilton’s current federal contracts or other contracts, at least those involved with security, surveillance, or monitoring security or surveillance, etc?
Is anyone moving to reduce the shoulder-rubbing between government agencies and some of our extensively breached contractors?
Back to that press release:
“Booz Allen’s Cyber4Sight provides clients–from banks to insurance companies to energy utilities–with anticipatory cyber threat intelligence that allows them to cultivate a proactive security posture, get ahead of an attack, assess risks and take appropriate actions to mitigate future attacks. Cyber4Sight combines the science of Big Data with the art of analysis and information gathering to give clients a holistic, forward-looking cyber security program. This service is the result of a significant multi-year investment Booz Allen has made to create an infrastructure that globally integrates data collection, aggregation and analysis and engages cyber analysts from a myriad of disciplines.”
Including high-school dropouts.
Leaving the Snowden matter aside–
As said before, due diligence should be routine in federal contracting. This is especially true in security. Aside from other measures, tightening up disclosure requirements for lobbying would help. It is not enough just to require ‘registered’ lobbyists to provide certain information. We need to require everyone who lobbies to ‘register.’
to be continued