EXCLUSIVE: Did Lockheed Commit an Ethics or contracts violation?
A Recent Cybersecurity Question Raised from within the F-35 Joint Strike Fighter Program
Imagine your bank is audited every 2 years by independent auditors, and one of those auditors, who has reviewed accounts, ledgers and bookkeeping for the past years is hired by that same bank to work on matters directly impacting that bank’s operations. Would that be an illegal, unethical, or even immoral act?
A very similar situation occurred recently within the Department of Defense’s (DOD) F-35 Joint Strike Fighter (JSF) Program. In May 2018, an Information Systems Security Engineer (ISSE), from a separate contract, responsible for third-party oversight of a major portion of the F-35 JSF program, accepted a position working on the same program where he was functioning as a de facto “assessor.” For the ISSE/Assessor there was no ethics clause, training, or certification required by this separate contract entity.
Has a conflict of interest been created? Is there an ethical violation of current contract or cybersecurity regulations or norms been violated?
You be the judge…
MATTERS THAT MAY AFFECT YOUR OPINION
- Many of us who work within the cybersecurity arena are bound by explicit standards of ethical conduct in order to maintain cyber-certifications. We are a profession just like lawyers, engineers, and doctors. We too are to “do no harm.” For example, the International Information System Security Certification Consortium, (ISC2) has a stringent code of ethics. While it is highly likely none of the individuals involved here were members of ISC2, that too adds to the concern of behavior that would adversely impact the Cybersecurity Community as a whole.
ISC2 Code of Ethics
All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the “Code”). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV.
Code of Ethics Preamble:
- The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
2. The second piece of information is whether a violation may have occurred under the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). Here are the basic requirements for contractors to meet specified contract clauses from the respective references:
- The clause is required if contract exceeds $5 million and performance exceeds 120 days
- Applicable to Subcontracts in excess of $5 million and a performance period of more than 120 days
- Inapplicable to Commercial Items under FAR Part 12
- Inapplicable if contract is performed entirely outside the United States
- Inapplicable if Contractor is a small business concern
In the case of Lockheed, the expectation is that they would be required to establish internal rules and regulations. FAR 52.203-13 is the major clause addressing contractor ethics. These details may or may not lead you to a final conclusion, but clearly raises the concern of challenges in the area of secure systems development. This clause specifically requires:
- Contractors shall “exercise due diligence to prevent and detect criminal conduct,” –unlikely this was a criminal act
- “Promote an organizational culture that encourages ethical conduct”–was this an intentional act?
- There is to be timely reporting, in writing, to the agency Office of the Inspector General, with a copy to the Contracting Officer, whenever the contractor has credible evidence that a principal, employee, agent, or subcontractor has committed a violation of federal criminal law in connection with the award or performance of any government contract performed by a contractor or a subcontractor. (Again, not criminal)
So, what do you think ?