When Spotting a Hack Doesn’t Help You
On April 21, 2015, Ben Cotton visited the U.S. Office of Personnel Management in downtown Washington to pitch his small cybersecurity company, CyTech Services. He loaded proprietary diagnostic software onto five servers running on OPM’s network. Uh-oh, the chief executive told his hosts, “you’ve got a big problem here.”
Over subsequent months, OPM—the federal government’s HR department—acknowledged it had suffered massive data thefts, which U.S. officials attributed to Chinese intruders. The stolen material included personnel records and background-check data for more than 22 million current and former government officials.
Cotton assumed his business would benefit from its role in revealing the breach. Instead, OPM publicly denied he’d helped and implied he’d angled for undeserved praise in the media. That’s a devastating suggestion in the digital security field, where contractors are expected to keep their findings private. Stuck in an entrepreneur’s nightmare, Cotton had to put his faith in a congressional investigation of the breach.
Born in Cody, Wyo., Cotton enlisted in the U.S. Army in 1980 at the age of 19 and eventually qualified for the Green Berets. He learned about technology while on antidrug and counterinsurgency missions in Latin America. “We’d pick up targets’ digital radios or their floppy disks and use the information we could take off them,” he says. “I absolutely loved that stuff.”
After retiring from the Army in 2003, he started CyTech in his basement. He won jobs from intelligence agencies he’s not allowed to identify and corporations such as Nike. Today, CyTech has roughly 100 employees and is based in Manassas, Va. Cotton won’t take outside investment, which he admits limits growth. “Ben is more tactically focused than strategically focused,” says Chris Jones, Nike’s head of global cyber investigations. “He likes to stay deep in the weeds of what’s happening.”
It’s no surprise, then, that Cotton himself handled the OPM demo. “This was potentially a huge customer for us,” he says. His diagnostic software, Cyber Forensic Incident Response (CyFIR), speeds assessment of network threats. Older comparable products search only a handful of desktops, laptops, and servers at a time, typically after they’re taken offline. CyFIR can hunt through tens of thousands of active machines at once, tagging and analyzing malignant and unknown programs.
The CyTech tool quickly identified suspicious programs on four of the five OPM servers. One of Cotton’s top employees then joined a team of OPM technicians and other contractors to trace and identify the malicious software.
Six weeks after Cotton’s demo, OPM publicly acknowledged the theft of millions of personnel records. The agency said it discovered the breach itself as part of “an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.” Six days later, the Wall Street Journal reported that the credit belonged to CyTech. OPM denied the company’s role in a follow-up story, and on Capitol Hill: On June 16, then-OPM Director Katherine Archuleta testified before the House Committee on Oversight and Government Reform that “OPM detected the intrusion,” leaving contractors unmentioned.
Cotton declined to comment for the initial Journal article, but OPM leaders blamed him for the PR leak. “I cannot express how bad this is going down for you,” Jeff Wagner, OPM’s director of IT security, e-mailed him on June 12. “THE LEAKS ARE NOT US!!!” Cotton replied. “I was desperate,” he recalls. “Industry people were telling me I wasn’t going to get any more federal work if I got the reputation of someone who bragged about his capabilities in the media.”
So what really happened? This September, the House committee published a 231-page majority staff report harshly criticizing OPM for the data breach. The report said Cotton’s company had played a role in identifying the breach, and that OPM had downplayed that work as part of a broader damage-control strategy. The committee also concluded that, unbeknownst to Cotton, OPM and another contractor had begun to identify separate evidence of the hack several days before his demo. “CyTech did NOT discover the breach,” OPM spokesman Samuel Schumach said via e-mail.
Cotton says even partial vindication helps his sales pitch. “The whole thing gave him some added visibility,” says John Dewing, president of TecX, a digital forensics company. Still pending is Cotton’s bill for $818,000. OPM, said Schumach, “will pay any appropriate amounts owed and required by law.”
The bottom line: Cotton’s CyTech Services is still waiting to be paid for anti-hacking work it did in 2015 for the Office of Personnel Management.