Keith Alexander: I'm Worth $1 Million Per Month Because I'm Patenting A Way To Stop Hackers (Which I Didn't Tell The NSA)

from the say-what-now? dept

The Keith Alexander story just keeps getting more and more bizarre. Almost immediately after retiring from the top position at the NSA, where he oversaw the total failure of the NSA’s supposed “100% auditing” system, allowing Ed Snowden (and who knows how many others) to escape with all sorts of documents, Alexander announced that he had set up a cybersecurity firm — with the ridiculously Hollywood-ish name of IronNet Cybersecurity. A month ago, it was revealed that he’s going around asking banks to pay him $1 million per month for his “expertise.” That caused a few to wonder if he’s selling classified info, because really, what else could he offer?

Alexander has a new answer: Patents! Yes, Keith Alexander is claiming that he has an amazing new anti-hacker technique that is brilliant and wonderful and deserving of at least nine patents. According to Shane Harris over at Foreign Policy:

Alexander said he’ll file at least nine patents, and possibly more, for a system to detect so-called advanced persistent threats, or hackers who clandestinely burrow into a computer network in order to steal secrets or damage the network itself. It was those kinds of hackers who Alexander, when he was running the NSA, said were responsible for “the greatest transfer of wealth in American history” because they were routinely stealing trade secrets and competitive information from U.S. companies and giving it to their competitors, often in China.

Of course, this leads to all sorts of questions. If Alexander had such a brilliant, patentable solution for stopping hackers, why didn’t he, you know, use it while he was at the NSA. His response? He and an unnamed “partner” just came up with it in the last couple months after leaving office:

Asked why he didn’t share this new approach with the federal government when he was in charge of protecting its most important computer systems, Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn’t considered. It’s these methods that Alexander said he will seek to patent.

The report also notes that Alexander is a named inventor on seven patent applications filed while he was at the NSA (the US government keeps those), but that these new ones are totally separate.

Now, it is entirely possible that Alexander and his partner magically came up with some new way to deal with cybersecurity — though I’m skeptical. Cybersecurity work involves an awful lot of trial and error in the real world, and Alexander is insisting already that his “fundamentally new approach” will “jump” ahead of existing technology. That’s a bold claim for someone who hasn’t ever actually done work in the commercial field. One thing that we’ve pointed out for years, is that people who have no experience in actually building a technology business almost always overvalue the idea, and undervalue the execution. It certainly looks like Alexander is doing exactly that. He thinks that based on the idea alone — which is totally unproven — he’s worth $1 million per month. He claims three companies have already paid up, though he doesn’t say who (or how much they’re really paying). It seems likely that any actual payments are more because of Alexander’s connections, rather than his brilliant “idea.”

Harris spoke to another expert who notes that the approach Alexander is talking about (behavioral modeling) is one that’s been talked about and tried for years without success. In other words, it’s a perfect example of where ideas sound good, but execution matters. And yet, Alexander insists that his ideas alone — which haven’t been proven yet (and on which he hasn’t even filed these supposed patents) — are so amazing that they will change the nature of cybersecurity?

When Harris asks for more detail about the solution, Alexander wouldn’t tell him any more “given the sensitive nature of the work.” Except, of course, if he’s filing patents on it, the details are supposed to be revealed the public in fairly short order (18 months at most). And, really, if the solution is so great, they should be getting it out there and testing it. Security by obscurity is not the best proving ground. Actually having your solution tested is.

Filed Under: , , , , , ,
Companies: ironnet cybersecurity

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Keith Alexander: I'm Worth $1 Million Per Month Because I'm Patenting A Way To Stop Hackers (Which I Didn't Tell The NSA)”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Easy to beat

Ooh… a new variant of patents… patents for NOT doing things in a certain way.

Maybe one for not running unverified code on a production system?

That said, what makes some information important or vital is its ability to be communicated to the appropriate people. If not the internet, then it’ll be by some other communications medium that is just as subject to advanced persistent threats.

Anonymous Coward says:

Re: Re: Easy to beat

If control of a remote system is needed the choices in order of preference are:-
1) a private network.
2) Ring back over POTS.
3) Remote site connects to a control room over the Internet after a port knock or similar.

Option three is to be avoided for actual control operations, but can be useful for status reporting, including triggering a status report.

The main point being the system should connect to a known control room before accepting any sort of command.
Often a remote sight only needs reporting to a control room, and any problem fixing outside the capabilities of its control system probably needs men on site.

The main system with need for remote control of systems, the railways, electricity distribution, gas and oil pipelines have an existing right of way for access to their kit, and so could, and should have installed the necessary network connections. Companies have have engaged in a false economy if they decided to save costs by using the Internet. An alternative would have been a private wire off of the phone companies, or ring back for occasional low bandwidth connections. A remote site should always have a land-line telephone for safety of of personnel when they have to visit the site, if this is not possible a fixed link radio.

A remote site should never, under any circumstances, accept any form of incoming connection. If needed it should have several alternative control room that it tries to connect to. Any engineer that needs to connect to it from outside a control room can do so via the control room system.

Rikuo (profile) says:

Re: Re: Easy to beat

Two things required for Quantum to work.
1) The target computer has to have wireless capabilities
2) There has to be some sort of code running on the computer that knows to listen through your wireless device in order to accept fresh commands.

Neither of my two computers have wireless capabilities. They are connected by ethernet cable to my modem. If I yank out that cable, they’re completely off the grid. There is no device in them to listen to wireless traffic (I’d know best, since I’ve built one from scratch and heavily modified the other).

Eldakka (profile) says:

Re: Easy to beat

A patent to make a system unhackable.

Patent number: xxx,xxx,xx4

Independent Claim 1)
Obtain radiation sensing equipment that can detect radiation in the 380nm to 750nm (400THz to 789THz) range, hereafter to be referred to as the MIOS (Mark I Ocular Sensor) (related patent xxx,xxx,xx1).

Independent Claim 2)
Obtain the Intergrated Ephemeral Externally Encumbered (IEEE) database that classifies all Critical Access By eLEctricity (CABLE) devices (related patent xxx,xxx,xx2).

Dependent Claim 1)
Use the MIOS to catalog all attached CABLEs to the Classified Obscure Material Plus Unnecessary Terrestrial Extraneous Resources (COMPUTER) device.

Dependent Claim 2)
In conjunction with the MIOS and IEEE database, classify the CABLEs as to their purpose.

Dependent Claim 3)
Using the classifications from Dependent Claim 2, identify all CABLE devices that are electrically connected to a Switching With Incoherent Technology Can’t Hypothesize (SWITCH) device.

Dependent Claim 4)
Use the Hard Analytical No-nonsense Dextrous (HAND) device (related patent xxx,xxx,xx3) to remove the CABLEs’ ability to relay electricity between the COMPUTER and the SWITCH identified in Dependent Claim 3.

John Fenderson (profile) says:


Now, it is entirely possible that Alexander and his partner magically came up with some new way to deal with cybersecurity — though I’m skeptical.

Me too. Over the years, I’ve frequently heard people (inevitably new to the field) proclaim revolutionary discoveries in computer security and crypto. Every single time, their ideas were new only to them and had, in fact, been investigated and developed or discarded by others — often decades (sometimes dozens of decades) earlier. All of the real advances I’ve seen have come from years of hard work, and usually from mathematicians.

That’s not to say he hasn’t found something revolutionary, but the odds of it are really very small.

Anonymous Coward says:

Re: Re:

It’ll be hard to do: he’s targeting Advanced Persistent Threats. For those not familiar with that buzzphrase, he’s basically defending against crocodiles with his magic rock. Sure, crocodiles exist, and they may even find bankers to be tasty, but most of what he’ll be doing has absolutely nothing to do with the security issues banks really have to worry about. If he were peddling this to government organizations or government protest organizations, or even large tech/aerospace companies, that’d be a different story. But he’s not. And banks have to deal with insider data leakage, straightforward in-and-out 0-day attacks and fraud — not APT (where the attack is set up in stages in order to fully compromise the target). There’s virtually no reason to hit a bank with an APT when there are so many less visible, more legal, simple and effective ways to make a profit off a bank. Just look at POS terminal skimming, for one example.

Also, there’s a reason he has experience with APTs — that’s exactly the method intelligence agencies use to do their dirty work; Stuxnet being a prime example.

Ima Fish (profile) says:

Technology companies tend to over-promise and under-deliver. You’ll read complaints from customers concerning soft/hardware where certain promised features were never included. My answer to that problem is to only buy what’s sold, not what is promised to be sold.

And here’s Keith proving my point. He wants to be paid a million a month, for a total of 18 million dollars for a product he promises to patent in 18 months.

I don’t think customers would be getting much value for their money. Can you imagine if Nvidia sold a graphics card with the promise of patented technology a year and a half from now? Good luck with that.

Anonymous Coward says:

Re: Re: You've got to be kidding

Because on information and belief (okay, gossip on the internet if you must know) anyone claiming advances in ‘cybersecurity’ probably has visits or close interest paid in them to ensure they don’t invent something that is really new or that if they do either they are discouraged from continuing or encouraged to open things up a bit for selected friends.

mcinsand (profile) says:

can we tell who hires him?

Is there any way we can tell just who is dumb enough to hire Alexander? I want to make sure that any investments that I have are insulated from such incompetent management. Sure, staying away from a company that would hire Alexander is no guarantee of competent management, but being willing to hire him is a sure sign of incompetence.

Me says:


This article reminds me of a guy studying Comp. Sci. I met that swore he had come up with an algorithm to create an infinite compression drive, a secret he was going to patent. A while later, after he boasted about how rich this was going to make him, I asked him if he knew what one-way mapping was. He didn’t. I explained it to him and he blew up in anger. I had no only hit on his technique, but pointed out there was no way to get the information back.

nasch (profile) says:

Re: Re: Skeptical

I have to be the one to ask…what is one-way mapping? Couldn’t find it on google, is there another term? Obviously you can’t compress infinitively (duh) but I’m curious as to what method he’d come up with.

Probably one-way hashing:

The output is typically a constant size regardless of the input, thus nearly infinite “compression”. Though just deleting the file is even more effective and just as useful.

FM Hilton (profile) says:

Why did he wait?

“Of course, this leads to all sorts of questions. If Alexander had such a brilliant, patentable solution for stopping hackers, why didn’t he, you know, use it while he was at the NSA. His response? He and an unnamed “partner” just came up with it in the last couple months after leaving office”

You do realize that while in the employ of the US government any and all patents that one files while so employed belong to the government, and all profits therein?

Ignore what he said. That’s the real reason why he waited until after he retired.

But that’s not to say he’s got anything really patentable..just that he wanted to make money.

One way or the other.

Anonymous Coward says:

I don’t like the NSA. I don’t like Alexander. In fact, there’s little I like about the Executive Branch as currently realized. I’m fervently hoping that Alexander, in fact, is using and selling classified material. I regard him as foolish enough to do that. I hope I’m right. He, and his cronies, need a LOOOOOOONG vacation in Leavenworth, Ks or Florence, Co.

Anonymous Coward says:

Stating the Obvious

Ed Snowden is a traitor because he copied a bunch of documents that show the NSA to be engaging in practices that very likely violate the Constitution of the United States, and gave those documents to the press.

Keith Alexander is a patriot because he has come up with revolutionary techniques that could virtually end the threat of cyber-terrorism in the USA, and he’s happy to share them — with anyone that pays him enough money.

(Please suspend disbelief re the idea that KA’s ideas have any merit.)

Mitch (profile) says:

Where it came from...

You better listen to what he says, I know he got some of it from a DARPA research project and some from discussion but ultimately he has the expertise to make it work and I wouldn’t bet against it….The theory holds water in the hands of the right people… I think that there is a lack of accountability on the commercialization of DARPA ideas that permeates through universities, businesses alike and there are some people being exploited albeit indirectly definitely…. I want the assets of US companies protected on the same note however and maybe this is the only way to get there…. If I could patent it and sell it myself I would

GEMont (profile) says:

pants on fire...

Lets see now. This is Keith Alexander that we’re talking about right. And we’re talking about his claims that he has a new-fangled, absolutely guaranteed method, to tag cyber bad guys, that he’s about to patent and install in your business for only one million dollars a month… that about sums it up eh.


He’s lying again. That part is a certainty, as its just about the only thing he learned during his time with the NSA – how to lie with a straight face about almost everything to almost anyone. That, and of course, how to steal information from the world.

The planned patents on behavior modelling is simply the “look over there” trick he’s using to cover up his selling of NSA insider secrets to the highest bidders.

Since the companies he’s gonna sell to will not want anyone to know they’ve purchased government secrets to help them protect their information from spies and bad guys, they’re willing to claim that they are merely using Alexander’s patented behavior modelling software. It will part of the deal after all.

So yeah, he’s just another crook, selling what he’s stolen to other crooks… business as usual.

But the most important part of his statement is this:

“It was those kinds of hackers who Alexander, when he was running the NSA, said were responsible for “the greatest transfer of wealth in American history” because they were routinely stealing trade secrets and competitive information from U.S. companies and giving it to their competitors, often in China.”

This is a statement designed to lay the groundwork for a cover up of something that has yet to be disclosed – a huge multifaceted theft and resale of a various trade secrets by members of the NSA that will soon become world news and which will of course be blamed on these unknown mysterious (: and probably Chinese 🙂 “super-hackers”.

Like I’ve said from the outset, the NSA has been using its vast pseudo-legal spying apparatus to steal foreign and domestic trade secrets and to blackmail their enemies and competitors and to ruin the lives of Americans and others who they think might interfere with, or prevent their continued top secret, government approved and protected crime wave.

This massive theft – “”the greatest transfer of wealth in American history” – will obviously become breaking news very soon, and Alexander wants the public to already know in advance that it was the Chinese that done the deed.

Now that’s a slick bit of sleight of hand, and probably why the NSA is letting him sell trade secrets – in return for the pre-education of the US Public – about a crime that was pulled by the NSA, but will be blamed on the Chinese by the Truth Free Press and The Most Transparent Administration In American History, once the news actually breaks.

What a total dick head!

Anonymous Coward says:

If he’s so rich have him send me a million or two…I don’t believe that he could find out who I am, my name and address never mind have that kind of money to give out to others! Ha! Ha!
What bank would really pay the guy millions of dollars just because he says he can keep hackers from banks? I’m sure new ways are found every day for hackers? How could he really prevent them? He can’t think ahead and no computer has the ability to truly think like a human brain does.

Cookie Monster says:

I am just wondering, does anyone actually know Keith Alexander? Everyone assumes that he does not have what it takes to get the job done. Just remember that there are always two sides to a coin. The media can always influence a group of people to get the torches and pitch forks going.
Just my opinion, and you don’t have to agree.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...