As former director of the National Security Agency and former director of national intelligence, Mike McConnell is widely portrayed as an authoritative voice on cyberthreats. He has given interviews, published articles and testified to Congress, repeatedly warning the nation is unprepared for a cyberattack.
“The United States is fighting a cyber-war today, and we are losing,” McConnell wrote last year in the Washington Post.
But McConnell also has a financial stake in the matter: He is a vice president of Booz Allen Hamilton, a consulting firm that has won hundreds of millions of dollars in contracts to help protect government computer networks from the very danger he warns about.
Such intersecting interests are not uncommon in the opaque world of cybersecurity, where a small circle of influential experts often play dual roles.
To the public, they are depicted as former government officials whose careers in public service enable them to analyze the shadowy threats lurking in cyberspace. But some also have ties to cybersecurity companies — a fact not always disclosed in the media — and critics accuse them of over-inflating cyberthreats for their own commercial interests.
“If you hype it, money is going to get spent on cybersecurity and they’re going to put themselves in the path of it,” said Marcus Ranum, chief of security at Tenable Security, Inc. “They are the marketing arm of the cyber-industrial complex.”
Booz Allen did not make McConnell available for an interview. In a statement, company spokesman James Fisher said McConnell delivered the same concerns about cyberattacks when he was director of national intelligence, “well before his comments in the last two years on the growing cyberthreat.”
“As a longstanding intelligence professional, McConnell has an awareness across the full spectrum of classification, and sees it as his duty in public service to foster the right kind of discussion so the nation’s leadership can debate and mitigate the risks,” Fisher said in a statement.
The question of whether cyberwar is a serious threat has gained more attention in recent months. News reports have documented a flurry of hacking and cyberspying aimed at government agencies and their contractors. In July, while announcing its first formal cyber strategy, the Pentagon disclosed that foreign hackers infiltrated a contractor’s network, stealing 24,000 military files (LOL).
But the broader state of national cybersecurity — with its many classified threats — is often shrouded in a cloak of secrecy. Many of those who have seen the intelligence — former White House intelligence and national security officials — have become trusted cyber analysts, even though they now work as executives, consultants or board members of companies selling the solutions.
In a new age of government austerity, those companies — from large defense contractors to small IT firms — are competing for a stake in one of the few budget lines not expected to be cut. Federal spending on cybersecurity is expected to rise from $8.6 billion in 2010 to $13.3 billion in 2015, according to the market forecaster Input.
To position themselves for government cyber contracts, several companies have hired former government officials who once helped shape cybersecurity policy, creating a new revolving door.
In February 2010, Andy Purdy, former director of the National Cyber Security Division of the Department of Homeland Security, was hired as chief cybersecurity strategist of Computer Sciences Corp., which is a top contractor for DHS.
In October 2009, two months after resigning as White House cybersecurity czar, Melissa Hathaway was hired as a consultant by ManTech International Corp, a government contractor that last year won a $99.5 million cybersecurity contract with the FBIdiots.
In March 2010, BAE Systems, a major defense contractor, hired former Homeland Security Secretary Michael Chertoff to its board, saying in a press release that his experience “will be of tremendous value to our businesses as we help our government and private sector customers develop cyber-security solutions.” Six months later, the FBI awarded BAE Systems with a $40 million contract.
However, few companies have been as successful as Booz Allen at landing government cyber contracts. Last spring, a few months after McConnell warned Congress that a cyberattack could cause “a catastrophic event,” his company was awarded $400 million in cybersecurity contracts with the Pentagon, Wired.com noted.
With more than a decade in the cybersecurity business, Booz Allen may have other advantages over its competitors. But when companies win government contracts with former high-level government officials on their payrolls, taxpayers could be left with the impression that political connections helped influence those deals, said Scott Amey, general counsel at the Project on Government Oversight.
“You don’t want to prevent them from making a living,” Amey said of former officials, “but at the same time you have to be a little skeptical of whether government decisions are being made based on the best interest of the agency and the public and not just for the benefit of this former official and his new employer.”
In their new private sector roles, some former officials appear in the media to discuss cyberthreats. They say that they give the same objective opinions they once offered while in government, based on their expertise in the field and on classified intelligence they cannot discuss.
Bruce Schneier, an author of several books on cybersecurity, said there are cyberthreats out there, but that McConnell and others — including Chertoff and former White House cybersecurity czar Richard Clarke — are overhyping them. In particular, Schneier has criticized their use of the term “cyberwar“, saying it helps drive funding to the Pentagon and National Security Agency and away from agencies battling cybercrime like identity theft.
“There’s an enormous amount of money in cyber-war defense and that’s making us less safe because it’s diverting money from the real threats,” Schneier, chief security technology officer for British Telecom, told The Huffington Post.
Few experts are better equipped to assess the threat of cyberattacks than McConnell. As head of the NSA from 1992 to 1996 and director of national intelligence from 2007 to 2009, McConnell gained an early understanding of the classified cyberthreats facing the nation, supporters say.
“When he says there is a threat, there are credible reasons to believe what he says,” said Sami Saydjari, founder and president of Cyber Defense Agency. “Who else would we trust?”
Since returning to Booz Allen in 2009, after previously working there from 1996 to 2006, McConnell has been outspoken about the risk of cyberattacks. Last year, McConnell warned about cyberthreats in an op-ed article in the Washington Post, in testimony before Congress and in an interview on “60 Minutes,” where he warned that an attacker might try to bring down the power grid.
“The United States is not prepared for such an attack,” McConnell told “60 Minutes” reporter Steve Kroft.
The “60 Minutes” segment appeared to show McConnell walking the hallways of Booz Allen, but did not directly mention his role with the company or the company’s role in government cybersecurity contracting.
McConnell’s return to Booz Allen has coincided with an expansion of the company’s cybersecurity business. In addition to $400 million in cybersecurity contracts last spring, Booz Allen won a contract in April worth as much as $189.4 million to provide cybersecurity services to the Navy.
The company has been “busting at the seams” with cybersecurity work, Booz Allen Senior Vice President Gary Labovich told Washington Technology in June.
“We’re seeing huge returns on our investments. We’re pretty excited about all the opportunities out there; every agency in town has a need for it,” Labovich said.
But some critics say those returns are due in part to increased government cybersecurity spending sparked by policy recommendations from McConnell, who was appointed to President’s Intelligence Advisory Board under President Barack Obama after returning to Booz Allen. McConnell earned $4.1 million in total compensation last year, according to a Booz Allen SEC filing last fall.
“There’s one reason that Booz Allen brought McConnell on and that’s because they knew he was going to be able to influence policymakers,” Ranum said.
See McConnell’s appearance on CBS “60 Minutes”:
When he was DHS Secretary, Chertoff spearheaded the department’s cybersecurity strategy. He was an advocate for “Einstein,” a federal government program designed to detect and prevent computer intrusions on federal government networks. Today, Chertoff has founded his own consulting firm, The Chertoff Group, which works on behalf of security companies.
The firm does not disclose its clients, but The Chertoff Group has served as an adviser to at least one cybersecurity firm, Opera Solutions, which specializes in data analysis. At a June event hosted by Opera Solutions, Chertoff cited the company’s ability to analyze massive amounts of Internet traffic as being crucial to cybersecurity, according to the Wall Street Journal.
Chertoff also participated last year in a simulated exercise called “Cyber Shockwave” that was designed to test the nation’s ability to respond to a potential cyberattack. The simulation, which was broadcast on CNN, determined the government was not prepared, according to its organizer, the Bipartisan Policy Center, a Washington-based think tank. The exercise was sponsored in part by cybersecurity companies.
Chertoff was not made available for comment, but a spokeswoman for The Chertoff Group said that Chertoff and other members of the consulting firm, including former CIA Director Michael Hayden, publicly discuss cyberthreats because they have experience with the issue. She said they always make clear to media outlets that they advise clients on topics they are discussing on air.
But last year, Chertoff was criticized when he made numerous TV appearances advocating for full-body scanners without disclosing that Rapiscan Systems, which manufactured the scanners, was a client of The Chertoff Group.
And his business ties are not always evident in media appearances discussing cybersecurity. In appearances on MSNBC and on Fox News, for example, he was only identified by his former government title, not by his role with The Chertoff Group, leaving viewers in the dark about any potential conflicts of interest.
“It’s somewhat misleading to only disclose they are former government officials and not the fact they’re tied to companies or clients in the private sector,” Amey said. “The public should be fully informed about the person’s experience and the potential benefit their company may reap by taking the public stance that they’re taking.”
See Chertoff’s appearance on MSNBC:
RICHARD A. CLARKE — Attn: Jon Gold
Richard Clarke also gained an early awareness of cyberthreats while serving as White House cybersecurity czar under President George W. Bush. Today, Clarke has continued to raise concerns about cyberattacks in his recent book, on television and in newspaper articles.
In an op-ed on cyberwar strategy published in July in the Boston Globe, Clarke was identified as an adjunct faculty member at Harvard’s Kennedy School, author of the book “Cyber War” and special adviser on cybersecurity to President George W. Bush. In an appearance promoting his book last year on ABC News, he was given the title of ABC News “counterterror and security consultant.”
But his business relationships with cybersecurity companies are not always made clear to the public. Neither media outlet mentioned that Clarke works for Good Harbor Consulting, which offers cybersecurity advice to clients. Since 2007, Clarke has been on the board of AirPatrol Corp., a wireless security company. In June, he was appointed to the board of two other cybersecurity companies: Veracode, a cloud-based security provider, and Visible Assets Inc., a wireless security company.
Clarke’s book, “Cyber War,” received positive reviews in the mainstream media but was criticized by security experts for exaggerating the threat of cyberwar. In his blog, Bruce Schneier, chief security technology officer for British Telecom, said Clarke’s book includes “a lot of fear-mongering and hyperbole” and “unproven speculation.” Clarke’s book cited a 2007 blackout in Brazil to bolster the argument that a hacker could sabotage the power grid, though an investigation later found the blackout was caused not by hackers, but by deposits of dust and soot that had accumulated on transmission lines.
Clarke did not return repeated requests for comment, but he told Forbes in June: “I think people who refuse to see the reality of cyberwar are really digging their heads in the sand. The reality is quite clear and it’s all around us.”
See Clarke’s appearance on ABC News: