Skip to main content

General Alexander at Black Hat 2013: Privacy vs. Security vs. Transparency

Executive Summary

General Keith Alexander, the US Cyber Command (USCYBERCOM) commander and the director of the National Security Agency (NSA), gave a keynote speech at the annual Black Hat hacker conference in July 2013. His main point was to set the record straight on exactly what authority the NSA has in terms of government surveillance of US citizens and to present the controls currently in place to prevent abuse. He discussed the mechanics of two specific programs authorized in the Foreign Intelligence Surveillance Act (FISA) of 1978, bolstered by the Patriot Act of 2001, and updated by the FISA Amendments Act of 2008. The first program is called the Business Record FISA (Section 215 of the Patriot Act) and authorizes the collection of metadata on communications with international suspects. The second program is called Section 702 of the Foreign Intelligence Surveillance Act and authorizes the full collection of information from non-US citizens located outside the country. 

Throughout the presentation, General Alexander made the point that collection on US citizens in both programs was limited in scope and had rigorous controls in place to ensure compliance with the law and to prevent abuse, and because of these authorizations, the intelligence community and law enforcement have stopped more than 50 terrorist plots aimed at the United States and its allies. He did not talk specifically about the changes to the law since 9/11, but it is clear that after an initial and unprecedented granting of surveillance powers after 9/11, the US government has slowly put restrictions on those powers and instituted rules to ensure compliance. General Alexander did not discuss Edward Snowden specifically or whistle-blowers in general. It is quite possible though that if US government leaders would have been more forthcoming with the kinds of information that General Alexander presented in Vegas, Snowden’s information leak might never have happened. General Alexander’s speech is a good first step to prevent that from happening again, but until this kind of speech is common place throughout the US government, we can expect to see more Snowdens in the future.


I just listened to General Alexander’s recent keynote speech at the annual Black Hat conference in Vegas.[1] Regardless of where you fall on the issue of privacy versus security—or, as Bruce Schneier points out, liberty versus control[2]—you have to hand it to the general. That was a gutsy move. 

For the non-geeks in the crowd, the annual hacker trek to Las Vegas to attend either Black Hat[13] (a traditional cyber security conference) or DEF CON[14] (a sort of non-traditional poor man’s hacker conference) or both has been going on for more than a decade. Black Hat is traditionally scheduled first at the end of July with DEF CON following immediately in August. Many of the rock star speakers give their presentations at both conferences.

After DEF CON leaders famously disinvited the feds to their hacker conference this year because of the tension between the hacker community and the government over the Snowden/PRISM issue [3][4], it would have been easy for General Alexander, the USCYBERCOM commander and the director of the NSA, to ignore the entire conversation until everything just blew over. Instead, he went right into the belly of the beast and accepted the invitation to speak at Black Hat. 

The crowd was generally respectful except for one or two hecklers who were very angry. General Alexander handled himself with grace and professionalism even after one of the hecklers yelled at him that he was a liar and had violated the constitution. Those skirmishes aside, General Alexander was on a mission.

General Alexander Explains Precisely How the NSA Collects Intelligence on US Citizens

General Alexander was very clear that he wanted to explain the two programs that Snowden outed to the press.[4] Referring to the Black Hat crowd as the Technical Center of Gravity for the World, He seemed confident that once they examined the facts as he laid them out, they would all agree that there was nothing untoward going on with the NSA and surveillance of US citizens. Indeed, I think General Alexander made his case. The NSA is not violating any US law. Many people do not agree with the current law, but it is not the case that the NSA is breaking it. More importantly, he demonstrated the limited use of the two programs in their current form and detailed the number of rigorous controls in place by several different government institutions that prevent abuse of the programs.

The first of the two programs in question is called Section 215, or the Business Record Collection. According to Bobb Litt, the general council for the Office of the Director of National Intelligence (US), 
“It’s called Section 215 because that was the section of the Patriot Act that put the current version of that statute into place.” [15] 
In his Black Hat speech, General Alexander referred to it as the Business Record FISA. By FISA, he is referring to the Foreign Intelligence Surveillance Act. This provision allows for the collection of metadata from communications mediums like phone calls: no names, no content, no geography. The Business Record FISA allows the NSA to collect just the phone number making the call, the called number, the date and time of a call, and the call’s duration. 

From an intelligence perspective, this kind of information is invaluable at finding the needle in the haystack. By drawing phone and email nodal analysis diagrams of suspects (link analysis), intelligence analysts can very quickly find key leaders of terrorist groups. The person using the phone involved in most of the calls and connecting to the most people is very likely a key leader in the organization.[12]

The second program is the one associated with PRISM.[6] It is from Section 702 of FISA and allows the NSA to collect the actual content of the message (the phone conversation or the body of the email message). PRISM is not the name of the program. It is the name of the database that contains the collected information.[15] According to Director of National Intelligence James Clapper:
"Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States.”[6] 
The controversy has arisen because, regardless of what Mr. Clapper says, the potential for collecting information on US citizens is high because US enemies outside the country will likely communicate with citizens in the United States. 

The bottom line is that these two programs specified in the FISA—the Business Record FISA and Section 702—allow the NSA to legally collect intelligence on those communications. In some cases, US citizens will get caught in the collection.

The Legal Timeline

One of the issues with the transparency debate is the withering volume of legal jargon used by both advocates and detractors around US laws concerning surveillance powers and the mechanics of how those laws are implemented. In these cases, I find it useful to scan a timeline of important events to get some perspective. 
  • 1791 (Fourth Amendment): The Founding Fathers design The Fourth Amendment of the US Constitution to establish US citizens’ right to privacy and protect US citizens from arbitrary invasions.[16][19]
  • 1952 (NSA): President Truman establishes the National Security Agency.[16]
  • 1973 (Warrants Required for Domestic Intelligence): The Supreme Court decides that Law Enforcement needs a warrant to conduct domestic intelligence surveillance.[16]
  • 1975 (Church Committee): Late in 1974, investigative reporter Seymour Hersh revealed that the CIA was not only destabilizing foreign governments but was also conducting illegal intelligence operations against thousands of American citizens. The Senate forms the Church Committee under the chairmanship of Senator Frank Church that ultimately resulted in the Foreign Intelligence Surveillance Act of 1978.[20][21]
  • 1978 (Foreign Intelligence Surveillance Act or FISA): Congress passes FISA designed to protect Americans from domestic spying.[16]
  • 1978 (Foreign Intelligence Surveillance Court or FISC): As a provision to the Foreign Intelligence Surveillance Act, Congress establishes the FISC as a special court and authorizes the chief justice of the United States to designate seven federal district court judges to review applications for warrants related to national security investigations.[18]
  • 11 September 2001 (9/11): The 9/11 attacks occur.
  • 4 October 2001 (Presidential Surveillance Program): President George W. Bush signs a presidential directive called the Presidential Surveillance Program that launches an unprecedented granting of surveillance powers to the NSA that allows bulk collection of metadata from US citizens. He designed the original program scope for a limited time period.[17]
  • 26 October 2001 (Patriot Act and the Business Record FISA): Congress passes the Patriot Act. It broadens the surveillance powers of the Foreign Intelligence Surveillance Act for Law Enforcement investigating terrorist activities. [16] Section 215 of this Act was the first legislation that authorized the metadata collection of the Business Record FISA.[15]
  • 26 October 2001 (National Security Letter): Under the Patriot Act, the FBI can compel Internet service providers, credit card companies, and phone companies with a National Security Letter (NSL) to provide information relevant to a counterterrorism or counterintelligence investigation. They can also impose gag orders to prohibit NSL recipients from disclosing that they received the NSL.[7] This change eliminates the former Law Enforcement restriction of only collecting intelligence on a foreign power without a warrant. [9]
  • Late 2002 (Telcos Volunteer to give data to the Government): Telecommunications companies enter formal agreements to voluntarily give data to the NSA.[16]
  • March 2004 (Metadata Collection is Illegal): The Department of Justice decides that the collection of metadata is illegal.[16][17]
  • July 2004 (The FISA Court Begins): The FISA court issues its first order regarding what metadata the NSA can collect and specifies the number of people that can access the information. This order transfers the power of when the authorizations expire from the President to the Court.[16][17]
  • January 2006 (Federal Judges Briefed on NSA Programs): The new NSA director, General Keith Alexander, briefs all members of the FISA Court about the NSA surveillance programs.[16][17]
  • 2006 (Commercial Information Sharing Agreement End): Commercial companies' voluntary agreements to deliver metadata to the government ends. Orders from the Foreign Intelligence Surveillance Court begin.[16][17]
  • May 2006 (FISA Court Restricts Business Record Use): The FISA Court authorizes the NSA to collect business records but limits the number of people who can access the data and requires more stringent oversight by the DOJ. It also rejects the agency’s request for broad collection of domestic communications content. This FISA Court decision causes a 73 percent reduction in the number of foreign targets collected upon by the NSA. [16][17]
  • 1 February 2007 (Presidential Surveillance Program Ends): President George W. Bush decides not to reauthorize the Presidential Surveillance Program.[16][17]
  • 2008 (FISA Amendments Act): Congress passes the FISA Amendments Act that modifies the Foreign Intelligence Surveillance Act of 1978 to require three changes. First, a court order is required to eavesdrop on US persons abroad. Second, the Foreign Intelligence Surveillance Court will review the activities within the Foreign Intelligence Surveillance Act for statutory compliance. Finally, commercial companies are granted legal immunity if they cooperated with the warrantless wiretapping program brought to light in 2005.[16][22]
  • 2009 (National Security Letter Improvements): An Appellate Court proposes the Reciprocal Notice policy in which the FBI would inform NSL recipients of their right to challenge gag orders. If a recipient indicates an intent to do so, the FBI would initiate court proceedings to prove that the gag order was necessary. The FBI Complies with the new policy. [7]
  • 24 March 2009 (Presidential Surveillance Program Audit): The NSA’s inspector general issues a classified 51-page draft report on the Presidential Surveillance Program. This is the report that Snowden leaked in the summer of 2013.[17]
  • April 2011 (Bulk Collection Ends): The FISA Court rules that the NSA had misled the court and had actually collected 56,000 purely domesticated communications each year [26] [27]. This is important because the authority to conduct surveillance (The Patriot Act and The Foreign Surveillance Intelligence Act) restricts this kind of surveillance to counter-terrorism activities against non-US citizens. Collecting 56,000 purely domesticated communications is clearly beyond the scope of the law.
  • May 2012 (NSA Internal Assessment): The NSA internally publishes its own assessment that it violated court orders for surveillance on Americans and foreign targets over 2500 times since the FISA court made its ruling and in Apr 2011. [28]

NSA Oversight of the Business Record FISA and Section 702

General Alexander repeated several times during his keynote that the oversight for these programs is and should be rigorous. He gets oversight from his own inspector general, the federal judges that review the FISA warrants, Congress, and the administration. He explained the technical and administrative controls in place that prevent NSA employees from abusing the system. He said that the entire system is 100 percent accountable; only 22 NSA leaders are allowed to approve a phone number from which information can be collected, and only 35 NSA employees have access to the system. They are all trained and vetted on the law and what will happen if they attempt to abuse the system. The general said that in four years of review, Congress has found zero discrepancies. He said that he specifically wanted to address the concern that even though NSA employees are not allowed to abuse the system, they still could if they wanted to. General Alexander was emphatic that they could not, and if they tried, they would immediately be caught.

He also addressed the concern that the NSA is continuously reading everybody’s email and listening to every phone conversation that ever happens in the US. He said that was just not true. In 2012, NSA leadership approved fewer than 300 phone numbers from which information could be collected resulting in 500 phone numbers turned over to the FBI for further investigation. He explained the process of using the Business Record FISA to collect information from a suspicious phone number. He said that the FBI could compel an Internet service provider to give up the name associated with the phone number or email address by delivering an NSL to the provider.[7] With that information, the FBI can choose to get a warrant on the identified person to retrieve more information on the individual if required.

He closed by highlighting the program’s successes: 55 terrorist plots stopped (13 in the US, 25 in Europe, and the rest elsewhere). One US plot was potentially so big that it would have dwarfed the 9/11 attacks by comparison. General Alexander made the point that if we are worried about civil liberties today with the existing programs and laws, what do we think might happen to our civil liberties if another 9/11 occurred in the US?

Cory Doctorow explored this idea in his novel called Little Brother published in 2008.[11] In that story Doctorow describes what the US government does in reaction to a second 9/11 event: a terrorist attack that blows up the Bay Bridge in San Francisco and collapses part of the BART tunnel killing more than a thousand people. Security forces round up “suspicious” citizens and hold them at Alcatraz for questioning. Echoes of Guantanamo bounce, but in this story, government officials are holding US citizens. Law enforcement organizations track local residents wherever they go through mandatory radio frequency identification (RFID) devices, and they electronically monitor suspects without a warrant. 

Although this was a novel, these kinds of things are what General Alexander was talking about.

9/11 Made Us Crazy for a Bit, but We Are Getting Better

It is clear that after 9/11, the US government went a little crazy with the idea of surveillance. Some would say that the US went way too far. Some would say that the US is not doing enough. Regardless of where you fall on that spectrum, what we did as a country is understandable. We were afraid. Our country had been attacked for the first time since World War II. Besides military casualties, civilian targets were not just collateral damage but the main targets. Anybody that I have ever talked to about that horrible day has some personal connection to it. They were either directly involved, had a close friend or family member involved, or knew somebody who did. After a few days, we were angry and were willing to do anything to prevent such an outrage from happening again. We made hasty decisions (the Patriot Act passed just over a month after 9/11 with very little debate). People wanted to help in any way that they could. Telecommunications companies sent their best people to the government to see what could be done. As our wounds started to heal, some government leaders began to question whether or not the need for our security trumps our need and constitutionally promised right of privacy. Whistle-blowers came forward. Government leaders started to change the system. The US is not a perfect country, but it is a resilient one. We make mistakes. In some cases, we try to correct those mistakes. We are in the process now of trying to correct some of the craziness that happened after 9/11.

What We Need Is Transparency, Not Whistle-Blowers

Like I said, I think General Alexander made his case. The NSA is not doing anything illegal. NSA personnel are following the law as it is currently written, and there are decent controls in place to prevent any abuses of the system. But before you think I am just another General Alexander fan boy (full disclosure: General Alexander was my senior rater when I ran the Army Computer Emergency Response Team [CERT] back in my military days), I have some very serious concerns about the transparency of the system to the American public.

The only reason General Alexander presented at Black Hat was that he had a public relations problem. The Snowden revelations in the press made it seem like the NSA was vacuuming up every bit of Internet data possible from every citizen in the United States. Indeed, that was precisely the case at the inception of both programs (see timeline above). As we got further away from the craziness of 9/11, saner minds in the US government prevailed and began to walk the system back to something closer to reasonable in terms of limiting the scope of the surveillance and inserting controls to keep everybody honest. This is a good news story. This is the system working. 

Regardless of whether you think that Snowden is a legitimate Whistle Blower or a traitor to the nation, it is clear that Snowden thinks of himself as a Whistle Blower. If it were not for Snowden and others of like-mind in the last decade pushing this kind of information into the public spotlight, I am not so sure that any of these course corrections would have come about. Government leaders decry Snowden as a traitor and a spy because of what he did, but if they were transparent with the mechanics of the system from the start, self-described whistle-blowers may not have felt compelled to release classified information to the public in the first place.

I am not saying that the public needs information on operational details that would threaten the government’s sources and methods. 
I am saying that the mechanics of government surveillance—how government spies and law enforcement personnel get permission to collect intelligence—should be so transparent to the average citizen that it is taught in our elementary education civics classes
Note to government officials: If your first thought about what you are trying to do (regardless of your motivations) is to keep the process secret from the general public, think again. This kind of justification just breeds conspiracy theory and potentially embarrassing whistle-blowers in the future.

The kinds of information that General Alexander presented at Black Hat should not be the exception; this kind of disclosure should be the norm. After General Alexander’s speech, the security community generally was able to breathe again. Although we are uneasy with the idea of government surveillance on the Internet, we recognize that there are circumstances in which it should or could be done. We may not agree with everything currently in place, but we are assured that there are limits to the surveillance scope and that there are controls in place to prevent abuse. Now that we know how the system works, we can start to have the conversation about whether or not we need more surveillance or less.

How to Prevent the Next Snowden 

Snowden represents the ultimate insider threat. I am the CISO of a mid-sized government contractor company. I have been asked by my senior leadership if our own insider threat program would have discovered Snowden before he released the classified documentation to the wild. The honest answer is no. Because of his system administrator position, Snowden was a trusted employee. He had the keys to the city, or at least some of them.

We may have had better luck catching Bradley Manning. According to Bill Simpich at Reader Supported News (RSN), Manning released some 700,000 documents to the public.[25] That volume of exfiltrated documents may have been noticed by my automated monitoring system or would have been stopped by my preventative controls (not allowing access to the CD system on classified machines), but Snowden has released only a handful of documents (with the promise of more later).[25] My monitoring system would not have noticed that kind of precision, and because he was a system administrator, he most likely had permission to turn off my preventive controls that stopped USB use.

In the aftermath, I have been reading Dawn Capelli’s The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). She and her co-authors recommend specific administrative controls that may have been useful for the NSA’s HR department or Snowden’s management chain. If those administrative controls were in place, somebody may have noticed certain kinds of suspicious behavior from Snowden—things like publically expressing disagreement and outrage of the NSA surveillance program around the coffee nook at the NSA; however, noticing a potential insider threat and actually stopping it before the damage is done are two different things.

The NSA has just recently taken the step to reduce the number of system administrators within the organization by 90 percent.[24] This is a classic information-assurance move: restrict the number of people who have access to sensitive information to a well-managed, need-to-know list. We all should take a look at our need-to-know lists and do some pruning. This is a good security measure to address the specific issue of how Snowden did what he did, but it is not going to stop the determined government whistle-blower. There are many ways to release classified information to the public if you have a desire to do so. 

In order to more completely address the whistle-blower as an insider threat issue, the government needs to consider the reasons why a whistle-blower might exist. A whistle-blower is an employee who feels compelled to do something that is most likely illegal in the eyes of the law but is worth doing because, in his or her mind, it is the right thing to do. In this case, Snowden felt compelled to do what he did because he thought that the specifics of the government’s surveillance program were not known to the general public and needed to be. We can eliminate this kind of whistle-blower threat entirely if we just admit to ourselves that there is no issue with the public learning what the law allows.

In terms of surveillance, there is no reason why the public should not be allowed to know what statistics exist to show how the law is functioning, what controls are in place to prevent abuse of those laws, and what statistics exist to show how well the controls are doing. Government leaders will say that if we publicize that information to the world, the threat will be able to better attack our weaknesses; they will be able to game the system against us. That may be true, but this is essentially what General Alexander did at his keynote speech at Black Hat. He was compelled to do it because of the bad PR the NSA has been getting because of the Snowden event. If the government had been proactive about the mechanics of program from its inception, Snowden’s information leak may not have happened at all.


The keynote speech General Alexander presented at Black Hat is an important milestone in the history of US government surveillance. It represents a shift, although a reluctant one, in government thinking about our ability to discuss these matters in public, and I applaud the effort. This is us getting better. The timeline presented above shows the pendulum swing after 9/11 to the extreme right as we reacted to that horrible day. It also shows a slow but steady swing back to the middle since then. Without the Snowden issue, and other whistle-blowers coming forward since then, I do not believe General Alexander would have willingly presented that information to any public community, let alone the security community that routinely makes the trek to Vegas each year. If we do not continue down this avenue of finding even more ways to make the mechanics of our intelligence and law enforcement programs transparent to the general public, the US government will see more whistle-blowers in its future. General Alexander’s speech is a good first step to prevent that from happening again.


[1] “Black Hat USA 2013 Gen. Alexander Keynote,” 2013 Black Hat Conference in Las Vegas, YouTube, 31 July 20913, Last Visited 20 August 2013, 

[2] “Security vs. Privacy,” by Bruce Schneier, Schneier on Security, 29 January 2008, Last Visited 24 June 2013, 

[3] "For first time ever, feds asked to sit out DefCon hacker conference," by Dan Goodin, ArsTechnica, 11 July 2013, Last Visited 20 August 2013,

[4] "Edward Snowden and the NSA files – timeline," by Mirren Gidda, The Guardian, 25 July 2013, Last Visited 20 August 2013,

[6] "Here's The Law The Obama Administration Is Using As Legal Justification For Broad Surveillance," by Brett Logiurato, Business Insider, 7 June 2013, Last Visited 20 August 2013,

[7] "National Security Letters: A Little Less Secret?" by Alex Abdo, Staff Attorney, ACLU National Security Project & Hannah Mercuris, Free Future: Protecting Civil Liberties in the Digital Age, 9 May 2012, Last Visited 20 August 2013,

[9] "A Review of the Federal Bureau of Investigation’s Use of National Security Letters," by the US Department of Justice, Office of the Inspector General, March 2007, Last Visited 20 August 2013,

[11] “Book Review: “Little Brother (2008)” by Cory Doctorow,” by Rick Howard, Terebrate, 29 December 2012, Last Visited 20 August 2013,

[12] “Joint Intelligence Preparation of the Operational Environment,” Joint Publication 2-01.3, 16 June 2009, Last Visited 20 August 2013,

[13] "Black Hat USA 2013," UBM Tech, Last Visited 20 August 2013,

[14] "DEF CON," DEF CON Communications, Last Visited 20 August 2013,

[15] "Transcript: Newseum Special Program - NSA Surveillance Leaks: Facts and Fiction," by Harvey Rishik, Robert Litt, M.E (Spike) Bowman, Kate Martin, Gene Policinski, Ellen Shearer, Joel Brenner, and Stewart Baker, 26 June 2013, Last Visited 20 August 2013,

[16] “Timeline of NSA Domestic Spying,” by the Electronic Frontier Foundation, Last Visited 20 August 2013,

[17] "The Taming of the Spook," by William Saletan, Slate, 1 July 2013, Last Visited 20 August 2013,

[18] “"Foreign Intelligence Surveillance Court," by the Federal Judicial Center, History of the federal Judiciary, Last Visited 20 August 2013,

[19] "Fourth Amendment: An Overview," by the Legal Information Institute, Cornell University of Law, Last Visited 20 August 2013,

[20] "The Church Committee and FISA," by Bill Moyers, Bill Moyers Journal, Last Visited 20 August 2013,

[21] "Church Committee Created," by the Senate Historical Office, United States Senate, Last Visited 20 August 2013,

[22] "New Law Expands Government Surveillance Powers," by Daniel Ray, edited by Sarah Sorscher, Jolt Digest, Harvard Journal of Law and Technology, Last Visited 20 August 2013,

[24] “NSA to cut system administrators by 90 percent to limit data access," by Jonathan Allen, Reuters, NBC News Technology, 9 August 2013, Last Visited 20 August 2013,

[25] "Manning Chose Documents for Release as Selectively as Snowden," by Bill Simpich, Reader Supported News (RSN), 12 June 2013, Last Visited 20 August 2013,

[26] "Memorandum Opinion,” by John D. Bates, Judge, United States Foreign Intelligence Surveillance Court, 11 April 2011, Last Visited 31 August 2013,

[27] "NSA gathered thousands of Americans’ e-mails before court ordered it to revise its tactics," By Ellen Nakashima, Washington Post, August 21 2013, Last Visited 31 August 2013,

[28] "NSA broke privacy rules thousands of times per year, audit finds," By Barton Gellman, Washington Post, August 15 2013, Last Visited 31 August 2013,


"A Review of the Federal Bureau of Investigation’s Use of Section 215 Orders for Business Records," by the US Department of Justice, Office of the Inspector General, March 2007, Last Visited 20 August 2013,

"FISA Business Records - Section 215 of the US Patriot Act," Electronic Frontier Foundation, 11 April 2006, Last Visited 20 August 2013,

House Committee on the Judiciary, 30 March 2011, Last Visited 20 August 2013,

"NSA collecting phone records of millions of Verizon customers daily," by Glenn Greenwald, The Guardian, 5 June 2103, 

"NSA Surveillance Program Explained: Here’s Why We’re Freaking Out," by Caitlin Dickson, The Daily Beast, 7 Jun 7 2013,

"POLITICS-US: Let Spy Laws Fade into the Sunset, Group Urges," by William Fisher, Inter Press Service News Agency, 9 August 2013, Last Visited 20 August 2013,

“The Permanent Provisions of the Patriot Act,” by Michael German, Senior Policy Counsel, American Civil Liberties Union, Washington Legislative Office, Before the Subcommittee on Crime, Terrorism and Homeland Security 


Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame  for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has be

Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

Executive Summary This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful. Introduction The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, author

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin , Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the