As the four-star general in charge of U.S. digital defenses, Keith Alexander warned repeatedly that the financial industry was among the likely targets of a major attack. Now he's selling the message directly to the banks.
Joining a crowded field of cyber-consultants, the former National Security Agency chief is pitching his services for as much as $1 million a month. The audience is receptive: Under pressure from regulators, lawmakers and their customers, financial firms are pouring hundreds of millions of dollars into barriers against digital assaults.
Alexander, who retired in March from his dual role as head of the NSA and the U.S. Cyber Command, has since met with the largest banking trade groups, stressing the threat from state-sponsored attacks bent on data destruction as well as hackers interested in stealing information or money.
"It would be devastating if one of our major banks was hit, because they're so interconnected," Alexander said in an interview.
Alexander, 62, said in the interview he was invited to give a talk to the Securities Industry and Financial Markets Association, known as Sifma, shortly after leaving the NSA and starting his firm, IronNet Cybersecurity Inc. He has met with other finance groups including the Consumer Bankers Association, the Financial Services Roundtable and The Clearing House.
At the sessions, Alexander discussed destructive computer programs such as Wiper, which the U.S. government said was notable because attacks using it appeared to originate from North Korea and Iran. "I told them I did think they could defend against that," Alexander said.
Still, despite the banks' growing investments in computer security, Alexander said, "many of them aren't really confident they're getting their money's worth."
The ex-NSA chief is leasing office space from Promontory Financial Group LLC. Eugene Ludwig, Promontory's founder and chief executive officer, joined Alexander at a meeting with Sifma, Wall Street's largest lobby group.
Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.
Alexander declined to comment on the details, except to say that his firm will have contracts "in the near future."
Former U.S. intelligence officials are part of the burgeoning Internet security industry. Michael Morell, who last year was deputy director of the Central Intelligence Agency, now works for Beacon Global Strategies LLC and appeared at a Sifma event to warn financial firms about cybersecurity threats. CrowdStrike Inc., a security-technology company that does work for the largest banks, has former FBI officials on its staff.
Alexander had devoted many of his public statements to the growing threats to private infrastructure before his tenure at the NSA became embroiled in responses to revelations about the agency contained in files leaked by former intelligence contractor Edward Snowden.
In the interview, Alexander said that a successful major attack on a bank would shake consumer confidence even if the institution were able to recover quickly.
"If all your banking stuff was just wiped out" and the bank had no record of how much money its customers had on deposit, "they could go back to their last surviving record but that might not be today," Alexander said.
One obstacle to a stronger system, he said, is the legitimate concern banks have about privacy and liability when they give data to other firms and the government. The Senate Intelligence Committee next week will take up a bipartisan bill sponsored by Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican which would set rules and protections for information-sharing.
Such a law would be an important tool to improve the nation's defenses, Alexander said.
"What I'm concerned about is we're going to have a 9/11 in cyberspace," he said.