Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today’s briefing is about the soft underbelly of the Defense Industrial Base. Five years ago, if you wanted to win a DoD contract, you filled out a spreadsheet, generated a system security plan, uploaded a score to SPRS, and put the binder on a shelf. It was the Honor system. Today, the Honor system is dead.
The Department of Justice is using the False Claims Act to sue contractors who lie about their cybersecurity posture. So, CISO Why is the DOD suddenly treating compliance as a kinetic battlefield?
The CISO (00:32)
Well, it’s because the actors have gotten smarter. They realized, especially nation states, like the APTs from China and Russia, they realized that the big DoD contractors like Lockheed Martin and Raytheon, they’ve been…
They’ve been working on security for a long time. They understand security and they’re harder to attack. But they realized that, you know, you’re smaller contractors to the DOD, the tier two and tier three subcontractors, right, who are subcontracting maybe to Lockheed or Raytheon, or they’re smaller and they have a direct
contract to the DOD. They’re like a 50 person, you know, shop. So their security, they don’t have a lot of people on security. It makes it a lot easier to attack them. And so now your CUI, which is your controlled unclassified information is in your supply chain, right? It’s in the supply chain.
So it’s small third parties or even those fourth parties, maybe fifth party sometimes. So it’s your, the information, your CUI is now expanded out into the smaller companies.
So if an adversary steals enough unclassified pieces of information from these smaller contractors and subcontractors, they can reverse engineer me. So a good example is they did some, know, there’s some, when the DOD is getting ready to,
have a lot of people come together to work on something, there are signs. They order more coffee. They’re renting more cars because they’re coming from all over. So there are signs that there is a large group of highly classified, highly critical
folks coming together. So the reality is that CMMC, the Cybersecurity Maturity Model Certification, isn’t just a new regulation. It’s the DOD pulling the plug on self attestation. So instead of having to just say, hey, I have security, I’m good, trust me, which is never a good model to begin with, they’re saying, everybody.
Everybody who touches it, know, DOD, CUI, know, unclassified, controlled unclassified information for the DOD must be secure, right? Because now the, you know, the fight isn’t just at the DOD and the large contractors, it’s the small subcontractors and the small contractors who contract directly to the DOD.
Actual (03:20)
it. And you if we speak practically about this concept of trying to put in parameters to ensure there’s, let’s say security in this instance, let’s go to maybe a different example. We go to a shooting range to train law enforcement to shoot, but we can really only do so much until somebody’s in a real life situation. And then how do they respond and react?
Is the training enough? Right and it you can’t is it’s it can be difficult to create realistic training especially for everybody You have like in this in this example you have specialized units that that train real hard and they are good at this However, maybe your average law enforcement agency, maybe even your local SWAT It really doesn’t get that kind of training and so from training to a real-life scenario. There’s a big gap on
you know, what they’re actually going to do based on what they do in training. And so if I think about that on this topic of, you know, I’ve, we scored a great score on this security assessment, or we’ve checked all the boxes for this certification. I guess the question I’m thinking of is how are these companies still failing the operational test when hackers or whoever actually do show up?
The CISO (04:33)
so you’re asking how do they how do they get a
How do they pass all of their attestations or certifications?
Actual (04:42)
Yeah,
guess what I’m really asking is if I was in this example of like law enforcement, right, and I go to the range and I shoot and it’s very like, I don’t know, it could be even extremely unrealistic. Maybe I’m in an indoor range and like I’m shooting at a paper target and you I’ve got to pick up my brass. Like there’s actually a story out there about FBI agents that the way they would train is they would shoot, up their brass, shoot, pick up their brass. And there was
a couple who ended up getting killed in a firefight with whoever, and they found brass in their hands because they instinctually went back to their training of shoot, pick up your brass. And so instead of actually shoot and then reload and shoot and reload and shoot, whatever the situation was, they were shooting and picking up their brass, which is what got them killed. And so for me, the question is, yes, we have these security
assessments, have these security certifications. How do we go, okay, where’s the gap? And how do we test that gap? That gap from saying, look, I have a piece of paper that says I’m secure, to saying, look, I just got attacked by a nation state. I’m capable to defend against that. I don’t know, does my question make sense?
The CISO (05:50)
It does that’s that’s why you have pen testing right where you red team by you Purple team, you know, you need to find really good pen testers. That’s the thing you don’t want I mean, I this is the challenge right because The company the CEO the executives they want to pass so they can get the contract with the DOD I mean, that’s the bottom line because they’re there to make money, right and
And so they do everything they can to hire companies and assessors so they can get that piece of paper. So in the news lately, it’s public information. So a company called Dell, one day was the shining star of rapid assessments. You can get your sock too with little effort.
The next thing you know, they’re in the news because they were a machine where they were actually generating evidence for companies to be able to pass a SOC 2. And so, you know, and so all these companies actually are no longer SOC 2 certified. Anybody who is going to come and certify them understands that they actually have to do more.
And these companies’ reputations are now, you know, have been damaged. on top of that, their environment’s not safe, not secure. So Dell did a disservice. Not only was it fraud, but in some ways, they’ve made it so that now these bad actors have a list of companies that they know don’t really have security controls because they were.
their evidence was fabricated. So you want assessors who are tough. I understand, but just hire pen testers, really good pen testers. The best pen testers were criminals. That’s the truth, because you have to think like them. And do the pen test. And when that pen tester tells you this sucks or they were able to get in,
then fix those holes. Really put in the money and the resources to fix those gaps. Because I see pen testers who are really great. They tell companies that, hey, I found this, I found this, I found this. And then the executives are like, OK, well, that’s great, but we don’t have money for that. So let’s just kind of put a Band-Aid on it and hope the Band-Aid works.
That’s something that has to change, especially, you you want to work for the DOD, you’re now part of national security. You can’t think like that.
Actual (08:15)
Got it. let’s say a breach happens and it’s because of a situation like that. Like we had the information. We could have fixed it. We didn’t. And so what happens to their status, I guess, I’m curious, as a government contractor?
The CISO (08:29)
or they get blacklisted, they get put on a list and they get fined and they will no longer be able to not only bid on DOD contracts, but most likely no other agency is gonna wanna hire them. Their business is pretty much done.
Actual (08:45)
Got it. I guess this then is what I would imagine is kind of jumping into legal territory. So if we talk about the DOJ’s civil cyber fraud initiative, if you invoice the DOD while misrepresenting your cybersecurity posture, the DOJ can apply the False Claims Act. So this isn’t a slap on the wrist or losing the contract, but it’s…
It’s a business liability. mean, what have you seen kind of in the industry with companies that maybe fell into that bucket?
The CISO (09:11)
Well, the False Claim Act allows the government to seek triple the damages, right? So if your contract was like 10 million, they can fine you up to 30 million. Basically, it’s a way to get rid of bad contract companies. It is meant if you are fraught
If you are doing that, there’s integrity. So there’s integrity issues. There’s so many issues there. So the DOD is just like, ⁓ because we can’t trust you, we’re just going to take you out. I mean, that’s the bottom line. So you don’t even need to be breached to get caught.
That’s the mistake some people, some companies make, right? Because the False Claims Act really heavily incentivizes whistleblowers. So, and it doesn’t even have to be a disgruntled employee, right? If an employee really believes in what they do, that they’re part of defending the country, and they know that the company’s faking their SPRS score.
they can report it to the DOJ and they will legally be able to collect 15 to 30 % of the fine. So if you know, so there’s two things there, right? One is that I know my company is not doing, know, it’s not being ethical, it’s not providing, you know, especially if I love my country, right? I would feel like my company is
not doing the right thing to protect us. And then the second thing is, depending on what they find, I could make a substantial amount of money. So you’ve got people do things. We always say this, people have to have a desire.
And there has to be like, because if I’m going to, if I’m going to tell, and then I lose my job, Hey, then, okay, that’s, you know, there’s that, you know, I want to be a good citizen. I want to report this. Right. But then you add on, on top of that, like I’m doing a good thing and I’m going to get paid for it. Yeah. Right. So the likelihood is just increased a lot. So, you know, so business owners have like companies have to understand that.
Like they’re supposed to be part of the DOD ecosystem. So if you are a subcontractor and your prime will cut you off immediately. So that’s the other thing, right? So if you’re working for Lockheed Martin and they find out that you’re not doing what you’re supposed to in terms of security, they will immediately just, well, they’ll report you.
they’ll terminate the contract, right? And you’re done. So there’s a lot of reasons not to do the wrong thing here. If companies really looked at it.
Actual (12:07)
Yeah, you know, I have an interesting thought on this. It’s a little, little out of left field, but it’s kind of reminds me of this time where we were, when I was on a team and we were preparing for some training and, know, one of the guys had to go through like the risk assessment to make sure we meet the risk assessment so we can do the training. And it was very detailed. And so.
An example would be like, we’re going to fast rope out of a helicopter. So, um, do you have these types of pieces of equipment, for example, like the proper gloves. Um, and so I’m kind of imagining in my head, cause I know how a lot of guys could be too, at that time, like, yeah, they, they, like Nike introduced these military boots, which were like really comfortable to wear.
if you’re driving to the gas station and back or whatever but like to actually wear in training and combat they were ridiculous they were just terrible quality and they would fall apart and but some guys were like no i’m gonna wear these you know all the time because they’re so comfortable and they’re cheap right and so i get these shoes and if you wear those and you fast rope you are going to burn you will like burn your shoes apart right like the soles of the shoes literally burn and then they’re ruined and you could
It’s kind of ridiculous and same thing you wear a certain cheap, go cheap on the gloves and you come down the rope, you could burn through the gloves and you do that enough. it’s, it doesn’t make any sense. Like that’s stupid, you know, but when you’re in that mentality of, I can’t afford it, you know, or I’m just gonna, we’re just gonna go cheap. You know, I only have so much budget. ⁓ I can’t get proper fast rope gloves or I can’t get where the proper boots to go down that and you’re creating a, a situation.
Like it’s training. So in the training situation, someone could get hurt. But in real life, like that’s it. You just can’t do that. Right. That that’s like, you just ruin your operational effectiveness and someone could get killed because of that. And that’s kind of what it makes me think of. Cause we’ve had these conversations similar before, on other maybe topics and other episodes of. Here’s a security vulnerability. found this in an assessment.
but we don’t have the budget for that. it’s a little bit pricey to maybe address that security gap. And it’s going, that’s like saying, you know, the cost to get the proper gloves to fast rope, it’s just out of my budget or to wear the right boots to do that, that’s out of my budget. I’m just gonna wear these cheap piece of crap Nike boots that are just gonna burn in half when I get down the first rope. So that’s kind of what that reminds me of. It’s sort of like,
Maybe a mindset thing, but also I feel like is there a way to approach this that goes, no, this budget is necessary. Right. So that people aren’t going to get in my scenario. It’s like, it’s necessary. So you don’t get hurt and hurt yourself. And it’s necessary. So somebody doesn’t get killed. And it’s in the risk assessment because someone did it right before. And it costs a lot of money to deal with that. The fallout of.
somebody getting injured and whatever expenses came along with their medical fees because of it, whatever that situation was, right? Like, does that make sense?
The CISO (15:07)
And it does, it does. It always comes down to, you know, the ability of the security team to influence the board and the executives. And the problem is that most security people talk security. Right. You know, and, you know, it’s like, you know, you gave that example, about those Nike boots and I’m like, wow.
Yeah, mean, it did those those Nike boots didn’t work well, but hey, you got through. You got through. Right. You couldn’t use them again, but you got through through it. Right. So, you know, and then it always comes down to money. Right. So, OK, well, how much did those how much did those boots cost? know, risk quantification is a hard thing for security people. You know, risk quantification says that you have to be able to and this is business. This is just
You know, this is just business 101. It always comes down to the money. And if you’re a security person and you can’t talk money with your executives, you’re not going to be able to influence them to get you all the money that you need, right? You have to be able to talk in non-security terms. Hey, look, you know, these people can’t actually go through this course, you know, because afterwards they’re going to be hurt. Now we’re have to pay for medical bills.
You know, and this and medical bills, the company is going to have me like sued because now these people have to like go see, you know, to get medical care. So the cost is going to be like this much, 10 million dollars. So instead of having people use these cheap boots, you know, and where at the end we’re going to have to pay 10 million dollars for medical, right. For medical and to replace their boots and, know, why don’t we just.
shift that 10 million from after it happens to before it happens. And that’s a hard thing, right? Because that’s a hard thing to get executives and the board to understand. But if you’re doing security, you have to learn that skill. You have to be able to speak at a
you know, at that level and in those terms, because, you know, it’s, they don’t understand, right? Because everybody, everybody takes risks all the time. But in order for you to say, Hey, this risk is not acceptable. You’ve got to explain it in a way they can understand. Okay. Yeah. And if they’ve never gone on a course, right? Right. And when you talk about that course, I’ve never gone on a rope course before.
Actual (17:32)
Yeah, that makes sense.
The CISO (17:39)
So it’s hard for me to be like, well, why did those boots not work? I mean, they’re boots, right? And you said that they fall apart. What does that mean? Like, you know, it’s hard for me to picture. What does that mean? Does it mean like they just they, you know, they didn’t keep like their color. They didn’t like did the soul fall off? Like what happened to them? Like, it’s hard for me to imagine. You just said like you burn through
But it’s hard for me to understand that too. Like you said burn through this burn through the Did they catch on fire when they were going? You see what I mean? Like it’s you really have to be able to communicate like why why were those boots not acceptable? They worked. It sounds like they got through the course. At the end they were damaged but okay you know how much you said those boots were cheap. You see what I mean?
Actual (18:28)
Yeah. Yeah. And you’re right. And you know, in that scenario, that was a, you know, a CYA type thing, right? It was a cover your ass, then come and talk down. Basically here’s a list of items that are approved and we don’t care if you’re guys want to wear the cheap stuff because if you mark that you’re using the approved stuff and you don’t, it’s no longer on us. Right. It’s on you guys.
So it’s just, you know, shifting the blame kind of thing. And it’s, and it’s covering their ass, but it’s kind of that in that instance, it’s a little bit of a different conversation. but yeah, so, we’re going to cut it here on this one. yeah. So we’ll see you next week. ⁓ Hey, the perimeter is no longer just your network, right? It’s the integrity of the paperwork that you submit to the federal government in the defense industrial base. Compliance is not a suggestion. It’s a condition of survival.
The CISO (18:58)
No, I’m.
Actual (19:15)
of mission success being about operational truth. So let’s go ahead and execute to the standard. See you next week.
