EXCLUSIVE: Did Lockheed Commit an Ethics or contracts violation?

admin September 25, 2018
Connect--But, be very careful

A Recent Cybersecurity Question Raised from within the F-35 Joint Strike Fighter Program

 

Imagine your bank is audited every 2 years by independent auditors, and one of those auditors, who has reviewed accounts, ledgers and bookkeeping for the past years is hired by that same bank to work on matters directly impacting that bank’s operations. Would that be an illegal, unethical, or even immoral act?

A very similar situation occurred recently within the Department of Defense’s (DOD) F-35 Joint Strike Fighter (JSF) Program.   In May 2018, an Information Systems Security Engineer (ISSE), from a separate contract, responsible for third-party oversight  of a major portion of the F-35 JSF program, accepted a position working on the same program where he was functioning as a de facto “assessor.” For the ISSE/Assessor there was no ethics clause, training, or certification required by this separate contract entity.

Has a conflict of interest been created?  Is there an ethical violation of current contract or cybersecurity regulations or norms been violated?

You be the judge…

A blurry issue

MATTERS THAT MAY AFFECT YOUR OPINION

  1. Many of us who work within the cybersecurity arena are bound by explicit standards of ethical conduct in order to maintain cyber-certifications. We are a profession just like lawyers, engineers, and doctors.  We too are to “do no harm.”  For example, the International Information System Security Certification Consortium, (ISC2) has a stringent code of ethics.  While it is highly likely none of the individuals involved here were members of ISC2, that too adds to the concern of  behavior that would adversely impact the Cybersecurity Community as a whole.

ISC2 Code of Ethics

All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the “Code”). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV.

Code of Ethics Preamble:

  • The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

2. The second piece of information is whether a violation may have occurred under the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). Here are the basic requirements for contractors to meet specified contract clauses from the respective references:

  • The clause is required if contract exceeds $5 million and performance exceeds 120 days
  • Applicable to Subcontracts in excess of $5 million and a performance period of more than 120 days
  • Inapplicable to Commercial Items under FAR Part 12
  • Inapplicable if contract is performed entirely outside the United States
  • Inapplicable if Contractor is a small business concern

In the case of Lockheed, the expectation is that they would be required to establish internal rules and regulations. FAR 52.203-13 is the major clause addressing contractor ethics. These details may or may not lead you to a final conclusion, but clearly raises the concern of challenges in the area of secure systems development. This clause specifically requires:

  • Contractors shall “exercise due diligence to prevent and detect criminal conduct,” –unlikely this was a criminal act
  • “Promote an organizational culture that encourages ethical conduct”–was this an intentional act?
  • There is to be timely reporting, in writing, to the agency Office of the Inspector General, with a copy to the Contracting Officer, whenever the contractor has credible evidence that a principal, employee, agent, or subcontractor has committed a violation of federal criminal law in connection with the award or performance of any government contract performed by a contractor or a subcontractor. (Again, not criminal)

So, what do you think ?

 

EDITOR’S NOTE: The individual providing this information has intimate knowledge and access to the details of this story. We respect their anonymity and are bound to the protection of that individual’s desired privacy about this matter.
Tags: , , , , , ,

More Stories

CYBER DECEPTION: Impact to Cybersecurity and the Application of Machine Learning Tools

Donna Columbus January 15, 2023

TOP 10: Challenges of NIST 800-171 for Companies to Meet DOD Cybersecurity Contracting Requirements

admin January 10, 2023

The TOP 6 Fallacies of Cyber-Threat Hunting

Dr. Mark Russo February 21, 2020

SPOT: CMMC: When 32 = 17 (Security Controls)

Donna Columbus January 3, 2020

COMMENTARY: DOD’s “NEW” CMMC is unnecessary duplication

Dr. Mark Russo October 7, 2019

Why most SIEM Solutions are Failing us

Dr. Mark Russo August 14, 2019

You may have missed

Cyber Threat Hunting (CTH) in an Age of Escalating Cyber Threats

Dr. Mark Russo July 4, 2023

Should You Hire a Virtual CISO?

admin February 1, 2023

TOP 5: The Main Implications of ML to Help Deter Cyber-threats

Dr. Mark Russo January 27, 2023

CYBER DECEPTION: Impact to Cybersecurity and the Application of Machine Learning Tools

Donna Columbus January 15, 2023
%d bloggers like this: