BOOZ ALLEN ETC and subcontractors

BOOZ ALLEN ETC and subcontractors

 

Part of the fallout from the spectacular security breach at Booz Allen Hamilton itself–when its contractor Edward Snowden, hired at age 29 to monitor global classified security from inside a National Security Agency station in Hawaii, revealed the capabilities–is that the subcontractor who vetted Snowden for Booz Allen is being investigated.

Quis custodiet ipsos custodes?

Snowden

The subcontractor is northern-Virginia based US Investigations Services (USIS). The company is not connected to the federal United States Information Service. The USIS web site bills it as “the leader in federal background investigations.” From a recent media release comes this announcement that USIS has won a contract from the Department of Homeland Security:

“FALLS CHURCH, Va., – US Investigations Services Professional Services Division, Inc. (USIS PSD), a subsidiary of US Investigations Services, LLC (USIS), the largest commercial provider of background investigations to the federal government, has been awarded a prime contract by the Department of Homeland Security, U.S. Citizenship and Immigration Services (USCIS), to provide biometric capture services in support of applications for a variety of immigration benefits and U.S. citizenship. The indefinite-delivery/indefinite-quantity contract is for one base year with four one-year options and has a potential value of $889 million over a five-year period.”

More good news for immigrants. Further information on USIS, from the company:

“USIS provides services under more than 100 contracts. It is the largest commercial provider of background investigations to the federal government. It has more than 6,000 employees providing services in all 50 states and U.S. territories and overseas. USIS offers a variety of adjudication support, including background checks, litigation support, records support, investigative analytics and biometric services, as well as customized solutions that help government clients manage records, information and documents. Learn more at www.USIS.com.”

Also provided is the company’s statement on the June 20 Senate Homeland Security Subcommittee hearing–Yes, we are being investigated–but it was not about Snowden, at least not last year–Nobody knew about Snowden then, including us:

FALLS CHURCH, VA, June 20, 2013 — At a Senate hearing today, questions were raised as to whether USIS is under “criminal investigation.” USIS has never been informed that it is under criminal investigation. In January 2012, USIS received a subpoena for records from the U.S. Office of Personnel Management’s (OPM) Office of Inspector General (OIG). USIS complied with that subpoena and has cooperated fully with the government’s civil investigative efforts.

In the same Senate hearing, questions were raised as to whether USIS had conducted the initial background investigation, or a periodic reinvestigation, for the security clearance of Edward Snowden. USIS conducts thousands of background investigations annually for OPM and other government agencies. These investigations are confidential and USIS does not comment on them.”

The federal investigation into USIS itself was first reported by the Wall Street Journal:

“USIS, a Falls Church, Va., company owned by private-equity firm Providence Equity Partners LLC, has more than 7,000 employees and conducts 45% of OPM investigations done by contractors, officials said. Last year, USIS received $200 million for its work, Ms. McCaskill said.”

The Washington Business Journal faults lack of competition in contracting for problems:

“So what is this type of work worth? In 2011, USIS was awarded a multiyear contract by OPM to conduct background investigative fieldwork for government agencies. The estimated total value of the contract was about $2.45 billion over five years. And USIS held the same contract before that award.”

Bloomberg News blames the outsourcing on Al Gore:

“The revelation that Snowden disclosed two classified U.S. surveillance programs after being vetted by USIS may have damaged the company’s reputation and prompted questions about the wisdom of outsourcing security reviews.”

Olbermann on Countdown

Bloomberg has a point. I, for one, also blame Al Gore for firing Keith Olbermann from CurrentTV.

But I digress.

 

Tom Lehrer, mathematician, humorist and song writer

Moving away from humor, Sourcewatch, among other sites, noted much earlier that the company was involved in the 2004 assault on Fallujah, in Iraq, and in an investigation on the assault connected to the death of Col. Ted Westhusing in 2005.

The company that owns USIS, Providence Equity Partners LLC, focuses according to its web site and company filings on investing in “media, communications, education and information.” More information:

“Established in 1989, the firm pioneered a sector-based approach to private equity, convinced that a dedicated team of industry experts could build companies of enduring value in the dynamic communications industry. Guided by this commitment, we have led some of the most exciting and successful companies in our sectors, generating superior investment returns across economic cycles. Today, having invested in more than 130 companies over our 23-year history, Providence is one of the world’s premiere private equity firms and a dominant global franchise in the media, communications, education and information industries. . . .

Our team actively seeks investment opportunities on a global basis from offices in Providence, New York, London, Hong Kong, Beijing and New Delhi. We partner with companies across different stages in their development, from growth capital and complex recapitalizations of family-owned businesses to large buyouts and take-privates. We can employ a variety of financing structures and target equity investments of $150 million to $800 million. We prefer to lead our investments, serve on company boards, and work collaboratively with company management. From broadband to broadcast, music to film, wireline to wireless, publishing to Internet, we bring unparalleled industry, financial and operational expertise to each of our portfolio companies.”

Sounds secure, doesn’t it? Who would imagine that a global company, its offices around the world connected by thousands of electronic messages and transactions weekly, could have any problems–even indirect–with security breaches on its watch?

When again did satire die, exactly?

Among those companies is Altegrity, the parent company of USIS. Altegrity is among other things the holding company for Kroll Ontrack Inc. and London-based Kroll Advisory Solutions, spin-offs from the former Kroll Inc, which provided security services in Iraq. Kroll, like Booz Allen Hamilton with which it had significant interchange, was up to its eyeballs in boosting war with Iraq, a war for which it also helped prepare and from which it received substantial government contracting business. Kroll was previously owned by Marsh & McLennan, also involved both in boosting the invasion of Iraq and in Iraq war business once the war was underway. So once again–not to hammer a point that should be sufficiently obvious by now–we have security and investigation companies participating in monitoring, oversight, or investigation of what amounts to their own previous work. The companies, furthermore, having won government contracts for their previous work, are now winning government contracts to retrace the steps–so to speak–on a global scale.

 

Another company held by Altegrity, by the way, is HireRight, “the commercial employment screening business of Altegrity that serves more than 30,000 commercial customers in the U.S. and overseas, including more than 25 percent of the Fortune 500.”

 

It remains to be seen whether the vetting for those 30,000 commercial customers rises to the standard of the vetting that gave us Edward Snowden.

 

To be continued

 

BOOZ ALLEN ETC Continued

BOOZ ALLEN ETC Continued

 

The June 2013 news that Booz Allen Hamilton entrusted a 29-year-old disaffected cyber-geek with oxymoronic global secrets, stationed him in Hawaii, and placed him under the supervision apparently of his girlfriend, should come as a surprise. Instead it comes as part of a familiar pattern.

Ironies are too easy to find. To avoid belaboring the obvious, I’ll quote just one Booz Allen press release, this one from February 2013 headed “Booz Allen Hamilton Launches Cyber4Sight Threat Intelligence Services.” 

The gist:

“Booz Allen Hamilton today launched Cyber4Sight™ Threat Intelligence Services, which uses multiple data sources to identify and monitor an organization’s unique cyber security profile, determine its “attack surface,” and deploy military grade predictive intelligence to anticipate, prioritize and mitigate cyber threats 24/7. This anticipatory service produces real-time, practical indications and warnings so that commercial organizations can take defensive actions against cyber attacks long before they occur.”

Taking the PR statement at face value, one might be inclined to ask whether Booz Allen considered itself a commercial organization or whether “cyber attacks” include someone inside giving away the store. As said, too easy.

It’s the take-aways that matter. Among them, the following:

1) When you’re talking about the business of the U.S. government, every privatizing, off-shoring or outsourcing is potentially a security breach. This is particularly the case when the government contractors are extremely well-connected, and when the business involved–surveillance, cyber security, etc.–is extremely sensitive or top-secret. The potential intensifies when the contractor is a behemoth and starts to fall into the Too-Big-to-Expose category. These are not factors that enhance oversight, transparency and accountability. Anti-labor types should bear in mind that the ‘privatizing’ mindset that devalues loyalty in favor of big-bucks contracts opens the door to similar security breaches. As ever, when you work with a security firm, what’s on your computers is on their computers.

2) When people start thinking they are above or beyond the law, trouble looms. This principle should be obvious, maybe, but some obvious applications–as they say in R & D–seem not to have been developed. I am not talking so much about Edward Snowden here, as about the mentality that led his corporate employers to hire him. Snowden was not picked from a stack of resumes in Human Resources. He billed himself as special in ways that appeal to the anti-egghead echelon of executive leadership–a de-emphasis on time and labor, including time spent in school; a certain pride in skirting the rules or at least the guidelines, including valuable principles; and a devaluing of serious non-commercial education. Thus he walked in through a side door, figuratively located just the other side of Executive Men’s Toilet. They’re paying for it now.

3) Anti-‘government’ rhetoric is not a solution. ‘Small government’ types in certain circles are exactly the people building mega-billion corporate complexes, bulldozing the Bill of Rights at work and in the community, and then being breached in one way or another. In political circles and in finance circles and in military-and-security technology circles, ‘small government’ types are people simply asking for less supervision and more money for themselves, under the headings of ‘less government’ and ‘lower taxes.’ These are not people who tend to be reflective types, regularly questioning and examining their own motives, leaning over backward to give the other guy his due. Booz Allen Hamilton, one of the biggest contractors in Washington, benefiting from government at all levels–more on that later–donates copiously to politicians who shriek ‘less government’ and ‘lower taxes.’ “Smaller government”? From the corporate allies of our Chamber of Commerce? Typically they avidly solicit and receive contracts from Uncle Sam, to such an extent that the cyber-security sector has become one of the biggest harbors of corporate welfare.

4) Macho corporate swagger is not a solution. The bigger they come, the harder they fall. Not all of Booz Allen’s extensive ties in the intelligence community, the American military, civilian government agencies and beyond saved it from mistakes so elementary that, literally, many eighth-graders would have known enough to avoid them. The price of democracy is constant vigilance. That means not just state-of-the art technology, but a close eye on human values. Too much careerist games-playing is incompatible with genuine security.

These are all lessons repeatedly illustrated over recent decades and/or since the year 2000. The point, as previously written, is that previous lessons have not been learned thoroughly enough. The incoming Obama administration had a lot on its plate in January 2009, but it still needed to clean house thoroughly. Unfortunately, having ensconced private security and private ties to military capabilities in government at the highest levels, the national political establishment was little able to mitigate some of the problems.

Thus, as the Booz Allen press release has it,

“Today’s cyber threats are increasingly targeting corporations and governments to conduct industrial espionage, undermine business and financial operations and sabotage infrastructure. A perimeter defense alone is no longer sufficient protection–adversaries are too many, too fast and too sophisticated. Organizations need a new paradigm that combines real-time security resources with a rigorous method of mitigating cyber risks. Booz Allen has combined its deep functional cyber expertise from the intelligence community with its operational military experience to create Cyber4Sight.”

Potential ‘adversaries’ include, you might say, your own people who are less than entranced with many aspects of what you’re doing. Potentially that might encompass much of the United States population.

 

Going forward, there are questions to be addressed, humorous or otherwise:

Isn’t it possible to vet contractors to prevent giving more government contracts to–for example–a company with its own cyber-security problems?

Big Green

Is anyone moving to review Booz Allen Hamilton’s current federal contracts or other contracts, at least those involved with security, surveillance, or monitoring security or surveillance, etc?

Is anyone moving to reduce the shoulder-rubbing between government agencies and some of our extensively breached contractors?

State as well as federal

Back to that press release:

“Booz Allen’s Cyber4Sight provides clients–from banks to insurance companies to energy utilities–with anticipatory cyber threat intelligence that allows them to cultivate a proactive security posture, get ahead of an attack, assess risks and take appropriate actions to mitigate future attacks. Cyber4Sight combines the science of Big Data with the art of analysis and information gathering to give clients a holistic, forward-looking cyber security program. This service is the result of a significant multi-year investment Booz Allen has made to create an infrastructure that globally integrates data collection, aggregation and analysis and engages cyber analysts from a myriad of disciplines.”

Including high-school dropouts.

Leaving the Snowden matter aside–

As said before, due diligence should be routine in federal contracting. This is especially true in security. Aside from other measures, tightening up disclosure requirements for lobbying would help. It is not enough just to require ‘registered’ lobbyists to provide certain information. We need to require everyone who lobbies to ‘register.’

 

to be continued