Are you a cybercriminal?
Dec 20, 2023
As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been asked to “pretty up the numbers” or “improve the optics” when reporting risks or the state of the organization's cybersecurity posture. However, those are just lies that are being told to you to get you to compromise yourself. The mainstream depiction of “cybercriminals” has a glaring omission, where it misses the contingent that you potentially interact with on a daily basis. While the media commonly portrays cybercriminals as hoodie-wearing hackers (external) or disgruntled employees (internal), it misses out on the open secret of fraud that is committed within many organizations by cybersecurity, technology and broader leadership teams. Yes - a CISO may be an otherwise respectable cybercriminal!
Fraud would top the list for "good guy cybercrimes" when you look at what it entails. Fraud is simply, "wrongful or criminal deception intended to result in financial or personal gain." How can that possibly relate to you as a CISO, CIO or other executive? Let’s count the ways how you may be engaging in or aiding criminal behavior within your organization:
- Fudging Quarterly Business Review (QBR) reports to show the health of the cybersecurity program is better than what it is (e.g., lying to the board or executive leadership that things are good, when they are not)?
- Attesting to a 110/110 score on Supplier Performance Risk System (SPRS) for NIST 800-171 when there is evidence that the controls / assessment objectives have deficiencies? (e.g., lying to the US government)?
- Going along with what the CIO, or other executive, wants by omitting certain findings from the risk register, since those open risks might raise uncomfortable questions about the stated level of the organization’s security program (e.g., concealing known risks from stakeholders that potentially alters executive decision making processes)?
- Signing off (attesting) on third-party risk assessments or cyber liability insurance surveys that certain controls are in place, where you know or reasonably suspect that those controls are not being met? (e.g., lying to third-parties about the actual security posture of you organization)?
- Using mental gymnastics to justify criteria for not reporting a breach, or incident, when it should reasonably be reported (e.g. determine an incident is just under the materiality threshold to avoid SEC reporting requirements)?
- Providing cybersecurity’s “stamp of approval” that control validation testing was reasonably performed to identify and mitigate risks associated with products/solutions to go into production, when in reality there is clear evidence of deficiencies that should have been remediated before being released (e.g., greenlighting projects for political reasons to avoid conflict)?
Understanding Unlawful Acts
Let’s first look at the facts of those actions listed above for some commonalities: What is being represented is untrue (deceitful); and You are benefiting through financial and/or personal gain by the means of (a) performance bonuses or even (b) keeping your salary by remaining employed in a role where you are perpetuating a lie. Then let’s look at some definitions to help this concept settle in:
- Criminal - a person who has committed a crime (unlawful act).
- Unlawful Act - an action or omission that constitutes an offense that may be prosecuted and is punishable by law.
The unease of this concept may be setting in, but I imagine you are not yet completely sold on the concept that in your current role you may have broken one or more laws, or regulations. Here are a few “low hanging fruit” laws, where fraudulent or unscrupulous actions would reasonably be considered unlawful acts, regardless of the industry you are in:
- False Claims Act (FCA) - From a FCA perspective, in October 2021, the Department of Justice (DOJ) launched its Civil Cyber Fraud Initiative (CCFI) and with the explicit mission of going after federal contractors under the FCA to prosecute government contractors that “fail to follow required cybersecurity standards." The CCFI is meant to provide whistleblower protections for those disgruntled cybersecurity practitioners who get fed up with lip service from their management team and report violations. Additionally, the FCA has a "finder's fee" component that incentivizes whistleblowing which can make it financially beneficial for disgruntled cybersecurity practitioners to turn in companies that violate their compliance obligations, where you could potentially be named in such an FCA accusation about your specific role and actions. Lying about the status of NIST 800-171 compliance would be an offense under the FCA.
- Federal Trade Commission Act (FTC Act) (15 USC 45) – Section 5 - From the FTC Act perspective, section 5 empowers the FTC to have a direct role in policing the cybersecurity practices of both privately and publicly-held companies. Pertinent to the idea of fraud, where weakening or ignoring reasonable secure practices comes into play, is the notion of unfair practices. An act or practice is “unfair” if it “causes or is likely to cause substantial injury to consumers [includes businesses] which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition” (15 USC Sec 45(n)). Many companies have been on the receiving end of FTC enforcement actions for "unfair or deceptive practices," due to internal processes that fail to maintain a reasonable, comprehensive cybersecurity program. This is where consumers / businesses would be unfairly harmed by your organization's weak or shoddy security practices. Additionally, consideration should be given to shareholder lawsuits for breach of duty of care.
- Wire Fraud - Think about wire fraud implications due to the interstate nature of electronic communications (e.g., phone, e-mail, SMS, websites, etc.). Realistically, wire fraud is really more of an add-on when you look at larger FCA or FTC Act violations. While wire fraud is a standalone crime, it is something that would likely be tacked on to other more pressing charges. In modern communications, your use of a cell phone, SMS messages, emails or Internet portals will cross state boundaries, so that PowerPoint presentation you emailed to the CIO with fraudulent QBR data or the logging into SPRS and submitting a false score could be considered wire fraud.
What is the root cause of this problem?
Based on personal observation over the past few decades and peer feedback on the subject, I firmly believe that the root cause of this problem is due to the inherent Conflict of Interest (COI) in how organizations are structured. Essentially, a CISO is a “chief” by name only and commonly reports to the CIO, which is an immense conflict that breeds a toxic environment and squashes objectivity. I firmly believe that most CISOs and cybersecurity directors want to do what is right, but find themselves in unwinnable scenarios where for whatever reason they choose to sacrifice their integrity for the sake of the role. Having the CISO removed from the technology leadership stack would help provide objectivity and reduce the toxic nature of conflicting loyalties. A CISO needs to be free to report objectively, where risk management options can be openly discussed. While this might be frightening to a CIO, it would be to the betterment of the organization, since the objectivity could help ensure that technology architectures / resources actually support the organization's mission and strategy. The best defense is a strong offense!
If you are a CISO, how can you defend against getting pulled into unethical territory in the first place?
Think of the environment you work in as a battleground, so have a plan for how you are going to use the resources available to you to achieve success on said battlefield. In practical terms, this means taking a proactive approach by developing a plan. Specifically, a multi-year, risk-prioritized strategy with clearly-defined objectives is needed. Having a documented cybersecurity-level business plan / strategy can help CISOs by providing evidence of both due diligence and due care in managing expectations against realities. Sharing this strategy with the CIO and other executive stakeholders can help formally establish how the Governance, Risk and Compliance (GRC) and general security operations functions support your organization’s overall strategy and mission. You can use it to help establish boundaries and clearly define how risk will be managed according to available resources, which can be useful evidence if you are thrown under the bus. Always keep in mind that if it isn’t documented, then it doesn’t exist.
The moral of the story is to do the right thing!
It takes courage to stand up against corrupt practices. Often, it also takes an outside perspective to provide objectivity. If you are consistently being gaslit by others, where your objections can be twisted to make you feel as if you are the one with the problem, it can cause someone to second guess themselves. Active participation in local or online security groups can be immensely beneficial, such as attending your local ISSA or ISACA chapter meetings. Fresh perspectives and objectivity can help provide some needed clarity to help you come to the realization that you are in a toxic work environment. That may be the wakeup call that is needed to get back on the right path or find a greener pasture altogether.
What if I am an unwilling participant in a cybercrime?
If you are a CISO, or cybersecurity director, you may be caught in the dilemma of going along with others' fraud for the sake of keeping your job. Clearly, you are at a crossroads where you have to make a hard decision:
- The morally correct decision is to be a whistleblower. You should utilize an internal fraud hotline (if one exists) to report the wrongdoings or report the behavior to the proper authorities.
- The morally wrong decision is to go along with fraud. That is a slippery slope where once you lose your integrity, you are not going to regain it.
This is where it comes down to free will - it is your choice to decide which path you want to take.