US PASSING SNEAKY CYBER SECURITY LAWS TO GIVE NSA MORE POWER ... & NSA STAFF GO PRIVATE

Ex-NSA chief defends his profitable cyber-security business Published time: August 06, 2014 10:05 Edited time: August 06, 2014 12:43 As the marriage between surveillance and non-governmental cyber-security firms comes under the spotlight, former NSA chief Keith Alexander fends off criticism of his new lucrative business, which he claims will revolutionize cyber-security. Alexander, who recently announced work on a number of “game-changing” patents to propel cyber security forward, sees nothing improper in the practice, as he revealed in a Tuesday interview with the AP. The former NSA head also stands to answer why he failed to share some of his groundbreaking ideas in his time as a government employee. But for Alexander, this seems to be a straightforward pursuit of doing business and making a living. ... The business was rumored to be bringing him a cool $1 million a month, but Alexander has brushed off the figure as inflated. Explaining further why IronNet Cybersecurity is different to how the government uses information, Alexander said that the NSA only had authority to defend secret government networks, whereas his work will be focused on the private sector. The tools and technical reach are at this point unknown, but "If it actually works, this will be worth a lot," he said of his new “behavioral model,” which purports to use sophisticated techniques to catch unconventional hackers. Critics see a number of issues with Alexander’s new venture, IronNet Cybersecurity. Apart from the generally disliked idea of government officials cashing in on sensitive information learned and tools retained from public service, people worry that any type of access to sensitive information by private firms using high-tech tools is not good. Only recently there was a private sector initiative to pool top officials from eight US government agencies to create a council that would defend the banking industry from cyber-attacks. Indeed, the Securities Industry and Financial Markets Association (SIMFA), the Wall Street group that proposed the council, has retained Alexander’s services. That agreement and others have raised concerns among those who’ve said Alexander may be in the business of disclosing state secrets for any company with a budget big enough to afford his services.  [Conflict of interests? - May have moved on from public service, but does it form a 'conflict of interest' type of problem from mixing it up in the private sector?] Last month, The Senate Select Committee on Intelligence voted overwhelmingly to approve the new controversial cyber security bill – the Cybersecurity Information Sharing Act (CISA), which SIMFA endorses. Privacy advocates are naturally opposed to the legislation, which lawmakers have been trying to push through for years. They believe that codifying a program to share digital data between the government and private sector would open the private sector up to sensitive information pertaining to millions of Americans. One scornful comment illustrating this came from the World Socialist Website’s Thomas Gaist, who says that “CISA clears the way for virtually unrestrained information sharing between the US government and corporations.” The criticism is not unique to rights groups – government officials occasionally also voice concern. ... Although Alexander’s move into private business has caused concern in some circles, he is traveling an already paved road, being the latest in a line of government, intelligence and security officials who go on to private sector work after an illustrious government career. Some examples include the first secretary for homeland security, Tom Ridge – he now has his own firm; the second homeland security secretary, Michael Chertoff, also has one; just as the NSA’s previous director, Michael Hayden, who now works with Chertoff. ... http://rt.com/usa/178328-nsa-alexander-cyber-security/

The thing that struck me most in this article is the cyber security bill was voted for approval by the 'Senate Select Committee on Intelligence'.

As Thomas Gaist says, the Cyber Security Information Sharing Act (CSIS) exposes the public to 'unrestrained informatin sharing between the US government and corporations'.  That's creepy.

New to looking at politics and unfamiliar with US politics, but I believe the next step is back to the House of Representatives and to Senate, before a finally rubber stamping by Obama and bringing the proposed legislation into being as law.

...........................................................................

Discussion Draft of CSIS proposed Bill - here.

Wikipedia - CSIS proposed Bill - here.

The Guardian - says Senate giving more powers to NSA in secret - here.

Wikipedia on, former NSA head, Keith Alexander - here.  Military background (now retired).  Introduced the 'collect it all' approach:

believed by Glenn Greenwald of The Guardian to be the model for the comprehensive world-wide mass archiving of communications which NSA had become engaged in by 2013.

Note also:  'stockpiling of zero-days'. Not really sure what this means specifically, but it relates to exploiting unpatched (and unknown) software vulnerabilities ... for spying.

Wired reported:

“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the report reads. “Eliminating the vulnerabilities–’patching’ them–strengthens the security of U.S. Government, critical infrastructure, and other computer systems.”

Obama’s response to his advisers’ review, however, added a major loophole, allowing any zero-day vulnerabilities to be exploited if they have a “clear national security or law enforcement” application.

.. read the article - here - if interested.

Hey, following the Wired link, found this:

This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation.

A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes, but has never publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Iran’s uranium enrichment program, used five zero-day exploits to spread.

The stuff about US and Israel hacking(?) Iran is pretty interesting.  Why doesn't Iran hack right back?

Anyway, I'm not sure what the fuss is about because it stands to reason that they'd use ANYTHING they can to their advantage.  Why is this surprising?