Compare this to the conversation on stackexchange yesterday where a small company CTO was worried about lying about pentesting.
The exact same ethical issues and commercial in entices apply in 10 person teams and 2BN grants.
It looks to me like we need something like professional engineer status at any given organisation that has independent and legal personal sign off
(ie a railway engineer can simply stop for example the 10bn pound HS2 railway project by simply not signing off one piece of paper. And the management know that. And so they have to deal with him, whoever he is.
The CISO of even penn state has no such leverage.
Edit: I think we should look first to see what balance of powers exists in an organisation - labour represented by unions? Management vs tech? sales vs everyone else ?
This is an interesting notion, but I wonder if there would really be support for such laws.
In Canada, you can't even call yourself an "Engineer" if you aren't an accredited P.Eng license holder. And a P.Eng who signs off on safety related designs that aren't safe (or signs of pretending to be a P.Eng) can actually go to jail. And that's something I fully support.
But would people support similar laws for information security? I would, but would enough people that the government would pass such rules? Hard to say.
It took, depending on when you say who the first "engineer" was, several hundred years (let's go from Christopher Wren to the 1828 charter of institute of civil engineers).
So we have time. But we could easily establish minimum best oroactises for computer security, data security, PII management etc (we more or less have with say SOC2). This is why the people that asked "when was your last penTest" got it wrong. They should have said "show me your SOC2 certificate". Then whatever lies the salesman says are obviated by going and asking the accreditation agency.
All we need to do is migrate the SOC2 from a paid for box ticking exercise into something valuable
Some states, like Oregon I believe, have similar prohibitions about the word "engineer" being one's job title. Others only prohibit signing off as a PE unless certified.
Most life critical systems, such as medical devices, bridges, and buildings, require a PE to sign off in the states.
Removing the "engineer" from a title or position that doesn't require a PE is not likely to happen, and is really just semantics.
The bigger issue I see, especially with DoD IT systems, is that the federal government career field that manages those requires NO education.
I can only believe that this occurred because software "engineering" doesn't actually have standards and licensing to ensure a minimum level of competence. I'd be willing to bet a civil engineer would be a hell of a lot less likely to forward a clearly falsified report if they knew their license was on the line and that they were exposing themselves to legal jeopardy.
HN is often very hostile when you bring up certification or even applying a bare minimum standard for proficiency and ethics to the profession. That stackoverflow question is one of the reasons why we need these standards and training. If the SO-OP had the ethical training and foundation that came with licensing, and faced the risk of license revocation, he would have easily made the right decision to not lie. Honestly I couldn't believe what I was reading. How did OP even remotely rationalize his decision?
> How did OP even remotely rationalize his decision?
That's not hard for me to understand, because they basically explained it in their SO post. They thought that since they clearly explained to their director that the statement "we ran a pen test" was false, in writing, that they essentially "transferred" any liability to their director. To clarify, that line of thinking is wrong, but I can understand where it came from.
That's why ethical training for software engineers is important, so that it's unambiguous that people were at least taught where the clear line exists, and if they go over that line it's because they chose to, not because they didn't understand where the line was.
This local news source actually embedded the complaint [0].
I don't have time to go into it in detail right now, but it looks like the other comment [1] is correct that the modified headline on HN is very wrong: the $2 billion dollar contract went to the ARL and not Penn State proper. The complaint says that the ARL is "physically, logically, and operationally separated from the Penn
State campus". The CIO of the ARL is alleging that Penn State proper lied on its documents, but the $2 billion contract is not involved in the allegations.
I know there are more important parts of this story than the names of the individuals involved; but I can’t get over how the guy’s lawyer is named “Darth Newman”.
The title is false. The 2B has nothing to do with lying about IT security. The 2B went to applied research lab and the CISO was at Penn state university. 2 completely different entities.
Penn state university had the IT fraud. Applied research lab (arl) had 2b contract ceiling (also incorrect, not awarded 2b). The arl ciso reported the univ ciso for IT fraud.
I agree that the article is a bit vague on that. However, at the university I work for, the team that manages our government cloud also works on our public cloud. The compliance team for the GCC environment and the engineering team I am on all report up the same silo.
It is not uncommon for universities to have wholly owned but logically separated research subsidiaries. This solves two problems. One being the elevated level of security needed at the research subsidiaries would not be acceptable to general staff and faculty. The second being the ease of management. The separation makes it easier to delineate where sensitive data can go.
I know what I’m going to bring up in my CMMC compliance call tomorrow.
The university I am an information security engineer for has been working for years to become CMMC level 2 compliant.
Penn State using public cloud (assuming Azure) and the commercial Office 365 would place them about 18-24 months away from being able to pivot to GCC or GCC-High. That is assuming they have the staff and capabilities to do this.
That doesn’t include all of the policies and other paper processes that need to happen.
Hopefully there are consequences for this level of deception.
They do, there is GCC, and GCC-High. There are a number of reasons why, but the most common would probably be the additional cost of resources and staffing.
Feature for feature, the core functionality is the same. There’s more overhead in GCC and some features in public are delayed in implementation.
We had a sales pitch by a MS partner and they made it sound like provisioning/ migrating services to gov cloud was seamless. It makes sense there is overhead involved from compliance. Two years to pivot seems pretty crazy though.
I’m curious whether the government certification / reporting process is punitive in nature and perhaps provides incentives to fabricate compliance. I’ve led a fintech startup through IT security audits mandated by top US banks and found them to be highly collaborative and helpful. Much less of a “pass/fail” judgement and more “you’ve made it to X on your own; here’s some resources on how to hit Y affordably so we can begin to do business.”
NIST 800-171, if that's what this is, is actually a decent set of regulations. I find, however, that the software solutions that are available drive companies to use just a few solution providers that creates concentrated points of vulnerability.
93. Whistleblower CISO says PennState lied about IT security to win $2B from US gov (centredaily.com) 54 points by jollofricepeas 2 hours ago | flag | hide | 38 comments
> Contractors like Penn State are required to self-attest to compliance with 110 security requirements spelled out by the National Institute of Standards and Technology; there is no oversight, Newman wrote.
> The self-reported scores must be submitted before a defense contract is renewed or awarded. At least 20 records submitted to the government were falsified, the lawsuit alleged.
If you're not going to do any actual verification of the security of a subcontractor and just ask them to "self assess", with a significant financial incentive for them to lie to win a contract, you can't be too surprised when they....lie to win the contract.
I'd even take it a step further, when a contract worth 2 billion is awarded without even an attempt at validation of self compliance claims then the ones in control of the awarding process are also part of the, almost guaranteed, fraud.
If this is just the standard CMMC clause getting inserted with all government contracts, then they are not actually required to meet all the security standards all at once. They only have to have a plan to meet all the standards. So saying that you are compliant when you aren't here is not a requirement for a contract. It's just lazy.
Until you have outside confirmation, we attest via SPRS[1] which requires more detail than just checking a box and holds legal constraints against falsification, a lot of DoD contracts renew March-June and the drop dead for CMMC for DoD suppliers is 2025. You will hear about this falsification happening more and more (especially around pentest reqs) , without a dedicated implementation team compliance is hard for already understaffed universities. It is the least interesting place to be for infosec work.
> you can't be too surprised when they....lie to win the contract.
Whether or not you can be "surprised" you can still hold them legally accountable for it. Surprise or lack-thereof is irrelevant, so why even bring it up?
The exact same ethical issues and commercial in entices apply in 10 person teams and 2BN grants.
It looks to me like we need something like professional engineer status at any given organisation that has independent and legal personal sign off
(ie a railway engineer can simply stop for example the 10bn pound HS2 railway project by simply not signing off one piece of paper. And the management know that. And so they have to deal with him, whoever he is.
The CISO of even penn state has no such leverage.
Edit: I think we should look first to see what balance of powers exists in an organisation - labour represented by unions? Management vs tech? sales vs everyone else ?