The Wakeman isn’t the hero Gotham needs, but he is the hero it deserves.
Anyone paying attention to the CMMC debacle for more than five minutes has undoubtedly been exposed to the endless shilling by Microsoft’s Richard Wakeman, a guy who pulled off a neat career trick by apparently being first at MS to jump into the CMMC scene, thus ensuring his top spot at MS as their go-to expert. Wakeman convinced Microsoft to go all-in on CMMC, and is now the “Senior Director of Aerospace and Defense for Azure Global” at MS. He’s also been present at nearly every CMMC convention ever held since the dinosaurs roamed the Earth, and was a constant, near-nagging voice telling people to adopt CMMC as soon as they could.
The Jokes Write Themselves
To those of us with functioning critical thinking faculties, it’s always been a matter of when, not if, the punchline would write itself. There’s no company whose products are more hacked than those of Microsoft, and their billion-year history is an ongoing, real-time case example of how not to release secure products. For decades, IT professionals around the world have insisted the best way to secure a Microsoft-based system was to switch to Linux. (Like here in 2022, or here in 2015, or here in 2001, or here in 1999, or here in 1994, or… well, you get the point.)
Now, in 2023, nearly four years after Katie Arrington slurred her words and promised CMMC was imminent any day now, we see that Microsoft’s Azure platform — you know, the one that WAKEMAN IS SENIOR DIRECTOR OF, was hacked by China.
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations.
The attacks singled out approximately 25 organizations, including government entities and associated consumer accounts, to gain unauthorized email access and exfiltrate mailbox data.
In case you missed the subhead, I said that China hacked Microsoft Azure:
Microsoft still doesn’t know — or want to share — how China-backed hackers stole a key that allowed them to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies.
It gets worse. According to CNN, “the email accounts of Commerce Secretary Gina Raimondo and State Department officials were breached in the activity.” That same report reveals that it wasn’t even Microsoft that discovered the hack — presumably because Wakeman was too busy on the CMMC speaking circuit — but the US State Department, which “detected the cyber activity in June and reported it to Microsoft.”
This comes as a surprise to maybe one person (Wakeman, I presume) and no one else.
Did I mention that China hacked Azure? Now remember that the Dept. of Defense gave oversight authority over the CMMC scheme to the IAAC, a group out of Mexico, which itself answers to the IAF, which counts as one of its executives a literal member of the Chinese Communist Party, Xiao Jianhua:
That means that any complaint filed in the CMMC system will eventually be adjudicated by foreign actors, potentially from China itself.
Here There Be Shysters
The reality is that nearly no one — not a single person — involved in the CMMC scam is trustworthy. In nearly every case, we find they are wholly unqualified or untalented or just boozy gimps who you wouldn’t trust lending your car to, never mind relying on for cybersecurity advice. These people are self-promoting bottom feeders, whose only chance at success relies on finding some Ponzi scheme or multi-level-marketing scam to propel their career, which inevitably comes falling back down to earth like the meteor because eventually people see through it. Look at the giant crater left by Arrington’s fall from grace, for example. Do you know how many mammals were killed in that extinction event?
If I was Bob Metzger or Jacob Horne, I’d be seriously considering switching to selling Amway or Cayman Island timeshares right about now. I mean, hell, they are certainly qualified, and Armie Hammer could probably use the company.
But this won’t stop Wakeman from shilling for a product that his own company hasn’t even utilized, nor from joining the increasingly-ridiculous chorus of idiots claiming that CMMC is the cure for everything from Chinese hacks to toenail cancer. Oh, no, he’s all set to walk on stage and brave full-on public humiliation at “CMMC Con” this September, where — like Comic Con — apparently there will be lots of cosplay, where nerds with Evil Spock Beards dress up as serious cybersecurity professionals.
The only question anyone should be asking Wakeman at any event is this: if CMMC is so great, why does China have the keys to Microsoft Azure?
I’d ask him personally, but the delicate flower has me blocked on LinkedIn, like nearly every other CMMC mouthpiece, because God forbid they should hear anything that would upset their flimsy worldview.
Hey, DoD: Fix This!
CMMC cannot succeed because it is based on faulty principles and was launched as a corrupt scheme to reward a few DoD flunkies and their private-sector pals. Worse, it’s been proven not to have any effect on China’s ambitions, and it doesn’t matter because the morons at DoD have already decided that China should oversee the entire CMMC program anyway. (And, no, I am not kidding.) The DoD must dismantle this nightmare as soon as possible, and look at real ways to ensure the nation’s defense on the cyber front, without the cronyism, corruption, and collusion. By doing so, we might finally free ourselves of idiots like Wakeman.
And if you’re wondering why I’m upset about this, consider the millions of dollars being spent right now by companies and individuals buying useless CMMC credentials and preparing for unlikely CMMC “assessments.” You think Wakeman is going to reimburse you?
[In case it needs to be repeated, the above is my opinion and must be treated that way. So be sure to include this footer in any copy you send to your attorney.]
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.