According to a report in Foreign Policy, former NSA head Keith Alexander has ideas. Ideas he wants to patent and turn into a business.  Admittedly, Alexander has had exposure to countering network borne attacks.

In particular, he was in charge of the team at NSA that detected the presence of the Agent.btz worm on the SIPRNet backbone. That is the one that was introduced by attackers in a forward deployed military operation, maybe Iraq or Afghanistan, and caused as much as $1 billion in recovery costs, dubbed Buckshot Yankee.

According to FP, Alexander has come up with behavior based network technology that will thwart APT-style attacks. There appear to be several problems with Alexander’s plan to commercialize his ideas.

1. A patent does not a product make. Patents are great for defending valuable business years down the line, when there is a lot of money being made and there are competitors to slow down.

2.There are hundreds, if not thousands, of products that are available to the enterprise today, most of which the US Government does not use. Alexander’s ideas are going to compete with those. Obviously the Pentagon was late to the game in deploying end point control products that would have prevented the original Agent.btz thumb drive from being inserted. Not to mention IPS and up to date patches on the 3 million PCs in the DoD. Under Alexander’s watch at the NSA it is now apparent that privileged access management solutions were not deployed (talking about Snowden here).

3.As smart as Alexander is, there are lots of smart people in the security industry who have been dealing with this problem for years. There are lots of well-developed products that address the issue of APT. Lots. And, properly deployed, they do a pretty good job.

It takes about two years to go from idea to first commercial products in the security space. It takes another five years to get market traction. Ideas do not justify exorbitant consulting fees (million dollars per month ask according to Bloomberg.) They will not even pass muster with VC firms.

I am not saying that paying Alexander $30K ($600K divided by 20 work days in a month) for a day is not a good value. If it helped move the needle in a large enterprise towards ramping up their security it would be well worth it. I am saying that a new security idea/methodology/product has to be vetted by the market, a cruel judge.

Leave a Reply