Imagine you’re the CEO of a Fortune 500 company called Deep State Secret Sauce (“Special Ops for Your Tastebuds”™), and, looking out at distant harbour sailboats tacking beneath luffing seagulls, you’re feeling rather chuffed by Deep State’s steady rise past spicy mustards and gourmet relishes, when your reverie’s broken by an ‘urgent’ call. It’s the Feds. They want to talk. Now. You clench your buns.
An hour later a G-mean arrives wearing a tangerine tie, looking like Efrem Zimbalist’s bastard junior, and plops in a seat. “Deep State’s been hacked,” he declares. Impossible: Your IT crew’s the best, vetted down to their chromosomes. Your system is sound, secure, religiously managed. You raise a sceptical brow, and Agent Orange plops down a folder, and says, “Read.” You open the folder; staring up at you is the formula for your secret sauce. You gasp, feel violated, tears well up, and the G-man smiles.
He tells you, no worries, everybody must get stoned.
Some say hundreds of CEOs have been notified by the Feds of breaches. Everyone says the same thing: We spend millions every year on information security. We run a tight ship. Our servers are locked down. How can this be?
In each case, the Feds have recommended calling in the ghostbusters of cyber security, Mandiant. You’ve never heard of them before. Then a Mandant team shows up at corporate headquarters with their tools and a prepared powerpoint explanation of the facts. They repeat to you the astonishing fact Kevin Mandia, director and after whom the company is named, told the US House of Representatives Select Committee on Intelligence back on October 4, 2011:
“More than 90% of the breaches Mandiant responds to are first detected by the government, not the victim companies. That means that 9 in every 10 companies we assist had no idea they had been compromised until the government notified them.”
(Mandiant gives the same or similar spiel in a Q and A he did at his alma mater, Lafayette, which is worth the watch to learn about the processes at work here.)
And when the presentation is finished, you and your expensive IT crew sit there shocked, even awed. How did they do it? Why did they do it? How much company information did they gather before notifying you? You’ve been smugly amused by the NSA’s comprehensive privacy intrusions of citizens, but now they are essentially telling you that those tactics apply to corporates as well. You demand answers, which they wave off with the invocation of ‘national security’ and a vague reference to the internet as a battlefield. Mandiant goes on and says, “It’s not a matter of if you will be breached, but when.” This is gobsmacking stuff for a highly trained and expensively run Fortune 500 IT security staff. Mandiant can’t or won’t tell you how they did it, but offer protection against further abuse, at a cost. You’re a Fortune 500: It’s an offer you can’t refuse.
But you remain sceptical, while your IT team is entirely unconvinced and hold deep suspicions, no doubt fuelled in large part by humiliation, but also by this sudden upheaval in your systems knowledge and technical skills – all those conferences, workshops, and certification upgrades, only to be effortlessly thwarted by government hackers. So you run a background on Mandiant and here’s some of what you come with:
Kevin Mandia has a BS in Computer Science from Lafayette College and an MS in Forensic Science from GWU. He’s a highly regarded computer forensics analyst. He’s published two well-received books on information security. After matriculating from college, Mandia joined the US Air Force, where he remained from 1993 – 2000. He worked intel and ultimately ended up assigned to the 7th Communications Group at the Pentagon where he honed his forensic skills as a computer security officer. A number of members of the 7th CG have gone on to work for the NSA and other private and governmental intelligence agencies.
Then the first warning flag pops up. While still an officer at the Pentagon, Mandia was the director for information security from 1998-2000 for Sytex, at the time a seemingly low-value computer and network consultancy based in Pennsylvania, which earned $1500 in 1988, its first year. But by 2004 Sytex revenues had ballooned to $425 million, according to Congressional Quarterly. What was behind this sudden astonishing rise in fortunes? By 2004, Sytex had become the leading provider of contract interrogators for various national intelligence services, including the Department of Homeland Security and the Pentagon. Indeed, several of the Abu Ghraib private interrogators were drawn from Sytex, according to CorpWatch. In 2005, military colossus Lockheed Martin bought Sytex.
Mandia then joined the computer-security company Foundstone, which specialized in “exposing the vulnerabilities of software firms,” and he worked there as director of computer forensics from 2000 – 2003. Then the first warning blip pops up. Mandia jumped ship just as Foundstone became immersed in allegations of “widespread software privacy.” That’s right: The company hired to defend against piracy was itself up to its snuffles in hot apps. Significantly, the allegations were corroborated by several employees who told investigators that “For years…top executives at Foundstone dumped a seemingly endless supply of the latest software onto a company server called Zeus and into a Microsoft Outlook folder called Tools, available to everyone on staff.” Did Mandia participate? Does the Pope hack the bear’s laptop as he snoozes?
According to his own proffered biographical data, “[Mandia] also led Foundstone’s computer forensic examiners in supporting numerous criminal and civil cases. He has provided expert testimony on matters involving theft of intellectual property and international computer intrusion cases.” It’s clear he knew about the piracy, and certainly as a forensics expert, he’d have been in the position to offer colleagues some of the many ‘cracks’ to the software made available to colleagues.
But the important question, in view of his later work as a private cyber warrior for the Department of Defense, is how it reflects on his ethics. After all, here’s a guy hired to protect software vendors from piracy putting himself above the law. But, then, this is typical of the national security mind-set: They are allowed to go beyond the letter of the law to serve and protect; a little pocket-lining is expected.
Again, in 2003, when the shit was hitting the fan for Foundstone, Kevin Mandia snuck out the backdoor and started up his own company, Mandiant, in 2004. Interestingly enough, he brought on board a few fleeing Foundstone executives to work for him. But aside from this questionable move, and far more significant, he also brought in Travis Reese, “co-founder and VP of the Computer Forensics & Intrusion Analysis Group at ManTech International Corporation and a former Special Agent with the US Air Force Office of Special Investigations.” Reese brought along his Top Secret clearance.
But the item to focus on here is his involvement with Mantech, which is teeming with “retired” military intel types, “ex” spooks, and PNAC disciples, such as board member Richard Armitage, the neocon hulk most fondly remembered for threatening to bomb Pakistan “back to the Stone Age,” who was the leaker in the Valerie Plame scandal, and who was on the board of ChoicePoint in 2000 when their databases became erroneously populated with the names of African-American felons – a mistake paving the wave for the ascension of GW Bush and the National Security state.
Here, as director of IT for Deep State Secret Sauce, you pause to suck in some air. You’re breathing a bit heavy now because a dark picture is developing, with potentially huge ramifications. Questions form: Where did Mandia obtain his skill set? Exactly how did he access the secret sauce recipe, which is deeply vaulted? Is he a contracting spook? Doesn’t his service promising to find current network malware and prevent future incursions sound not a little like the protection racket of the Al Capone days? You exhale slowly and, never one to be cowed by bullies, you continue.
For a decade, the young (he’s now only 43) information security entrepreneur consulted and provided training to assorted corporations and government agencies, waiting like most small business owners for that Big Break. His companies revenues slowly climbed to $20 million by 2013. Then by 2011 Mandia’s reputation had gained so much leverage that he appeared before the aforementioned House intelligence committee to declare (albeit, implicitly) that the US government was hacking into not only private individual accounts but corporates as well, in each case under the pretext of the ‘War on Terror’ – the theft of intellectual property being a serious part of the battle.
Not long after his re-election in 2012, Obama began making louder rumbles about cyber warfare, implicating first the Syrian Army Brigade, and then loudly accusing the Chinese, without providing evidence (as has been the Obama Way for 6 years).
At the same time the Snowden revelations provided a clear indication that the US government was scooping up all communications worldwide, regardless of any regard to threat. The world became a terrorist.
Then WSJ, NYT and WaPo got hacked. Obama said, by China. This had the effect of distracting from the Bush/Obama surveillance regimen.
Then again Mandia having turned at the very least a blind eye to intellectual property theft while at Foundstone, even though he was himself prosecuting such criminality, would have had few qualms about Obama’s doublespeak.
Then all of a sudden Mandiant announced a breakthrough, offering up concrete evidence of specific Chinese hacking by a specific group in Shanghai, who of course denied any hacking.
Obama pursued the group known as PLA 4545 and had Holder file civil charges against members of the hacking group (importantly depicting each member in a Chinese military uniform). As the members of the group were never likely to have come to America anyway, the charges are farcical and propagandistic.
In 2013 WaPo decides to sell. Owner says because can’t keep up with digital revolution. Paper bought by Jeff Bezos of Amazon, which now has deep algorithmic connections to the CIA. Indeed, they’ve become more strident in the establishment anti-Snowden attacks, bringing on board ex-Homeland security lawyers to make case that Snowden’s leaks have risked lives – an argument itself derived from an unproven assertion made by an executive of the predictive database analysis company called Recorder Future, which itself is a CIA start-up.
Meanwhile, the NYT signs a long-term agreement with Mandiant to oversee and protect its data stores, including one presumes reporter files and source details.
The WaPo deal no sooner went through in December 2013 that almost at the same time Mandiant was bought up by FireEye for $1 billion. Mandia is COO. And, of course, the board is filled with Foundstone and military types. But most importantly FireEye is a start-up of Q-Tel, the CIA venture capitalist arm. (Interestingly enough, seemingly following Mandiant around, FireEye itself recently came under scrutiny for data breaches of its own customers.)*
Naturally, when you have to follow leads like this, through the maze, you will be accused of ranting and of conspiracy-theorizing. But such shell games are exactly what the spooks play – this is not disputed. Complexity and noise keep everything buried beneath opacity. This is the method bankers use to hide money offshore to avoid taxes and scrutiny. But the connections are all there.
It has been suggested that Mandiant is a cyber Blackwater. Surely. It is no coincidence that the Mandiant control center sports the Star Trek Enterprise bridge look, just like NSA chief Alexander’s fantasy set.
Stay tuned for an update on Mandia and FireEye’s connection to the North Korean hacking debacle concerning Sony.
* I had the article on this breach and when I find it I’ll come back with the link.
Note to Reader: This piece, which I began about 14-15 months ago, was meant to be a feature investigative piece, but I haven’t yet gotten to all of the meat. For instance, in the title is a reference to World War “D”, which is an expression coined by James Rickards in his book, Currency Wars, which makes the case that the cyberwar we appear to be in the midst of is actually motivated by currency domination, and that, as things stand, China would win such a battle. Rickards bases his analysis on the result of the first-ever war games at the Pentagon focused on economics, which he was invited to participate in back in 2009. That is the subject of his book. I never got around to China or WWD in this piece, but I thought what I have for the Mandiant portion was of sufficient completion and quality to merit publishing here on my blogsite as a developmental investigative piece readers are urged to re-trace and continue on with themselves. I don’t if I’ll get around to an expansion of the piece, as I am weaning myself of direct political pieces in order to concentrate on book reviews and my own creative work.