[UPDATE: the CyberAB has agreed to take action on this incident, see update below.]
A prominent CMMC speaker and head of one of the C3PAOs “authorized” to conduct CMMC assessments by the CyberAB appears to have posted a racist dog whistle in official public comments to a recent SEC rule announcement.
The SEC rule calls for mandatory cybersecurity disclosures for publicly-traded companies, and was released for public comment around mid-2022. The prominent CMMC speaker added a comment, under his own name and within the public record, arguing that the rule is light on defining the required expertise level of cybersecurity experts. To make his case, the C3PAO rep wrote the following hypothetical argument:
Example: If the Board of Directors for ACME advises Jamal Washington is the cyber expert, because he possesses a Security+ certification and has five years of experience in cyber security, is likely going to result in shareholder value being inadvertently diminished.
Now, to me, the inclusion of the name “Jamal Washington” to indicate someone who will cause shareholder value to be “inadvertently diminished” clearly plays into the “Jamal Trope,” where racists intentionally use ethnic-sounding names to invoke a negative bias.
The Jamal Trope was prominently dissected in a 2003 paper published by the National Bureau of Economic Research entitled, “Are Emily and Greg More Employable than Lakisha and Jamal? A Field Experiment on Labor Market Discrimination.” In that paper, researchers from the University of Chicago and MIT performed a field study to identify racial bias in hiring decisions, submitting identical resumes to help wanted ads, but using “either a very African American sounding name or a very White sounding name” to identify potential racist hiring practices.
We experimentally manipulate perception of race via the name on the resume. We randomly assign very White sounding names (such as Emily Walsh or Greg Baker) to half the resumes and very African American sounding names (such as Lakisha Washington or Jamal Jones) to the other half.
The authors concluded:
This paper suggests that discrimination is an important factor in why African Americans do poorly in the labor market. Job applicants with African American names get far fewer callbacks for each resume they send out. Equally importantly, applicants with African American names find it hard to fight discrimination in callbacks by improving their observable skills or credentials.
The amount of discrimination is uniform across occupations and industries. Federal contractors and employers who list Equal Opportunity Employer’ in their ad discriminate as much as other employers. We find little evidence that our results are driven by employers inferring something other than race, such as social class, from the names. These results suggest that racial discrimination is still a prominent feature of the labor market.
That study was then repeated, at a much larger scale, in 2021 by two other universities; the updated study again found:
Applicants with Black names were called back 10% fewer times across the board — and even less when it came to specific companies — despite having comparable applications to their white counterparts.
The Jamal Trope was also covered in a 2016 study published in Evolution & Human Behavior, titled “Looming large in others’ eyes: racial stereotypes illuminate dual adaptations for representing threat versus prestige as physical size.” According to a Vox article on that study:
When people were given the character’s specific background (like a business record), they didn’t associate stereotypically black and white names with different traits, based on their stated perceptions of the character’s height, build, aggressiveness, and other factors.
But in neutral scenarios, people linked the black-sounding names (Jamal, DeShawn, or Darnell) with aggression, while the white-sounding names (Connor, Wyatt, or Garrett) received more leniency.
And another study (paywall) in 2021 proved the Jamal Trope related to renting practices, showing renters with names such as “Jamal” had a harder time renting apartments.
When confronted, the CMMC C3PAO rep feigned indignance, telling me he was “merely using a name,” and that he could have just as well used “Jeff Henderson” or “Salma Martinez.”
In a bizarre reversal, he then tried to accuse me of the exact thing he was doing, saying, “are you advising only a Caucasian can obtain a security certificate? That’s offensive.” Obviously, if you believe the Jamal Trope — and, since there have been studies on it, I do — the whole point of the “Jamal Washington” reference was that we should be suspicious of any non-Caucasion bearing a security certificate.
Making matters worse, there is a real Jamal Washington working in the cybersecurity field with a Security+ certificate (and a ton more.) The real Jamal could sue for defamation.
The use of “dog whistles” in white supremacist circles is to provide plausible deniability when confronted; others who understand the whistle will agree with them in silence, while critics face the kind of denials we see this guy immediately made to me. There’s no way to prove he was intentionally being racist, even if any casual reader will understand the intent as being exactly that.
Clearly, to make his point, he didn’t need to give any name at all, and could have just hung his hat on the “Security+” certificate. For some reason, not only was using a name crucial for his argument, but it required using a “Black-sounding” name. Hmm.
And, of course, he could have just apologized and said it was a mistake, but he took the very opposite tack. That’s not helpful for his case, either.
I’m redacting the name of the individual involved in this one, for now, since I’m trying to give the CyberAB an opportunity to decide what to do. Expectations are low, though, since this is the CyberAB we’re talking about, and their Ethics Policy has been a joke since day one, wholly ignored by those tasked with enforcing it.
But let’s play out what happens next. If the CyberAB ever gets its shit together and starts actually accrediting C3PAOs — and it’s looking less likely that day will ever come — then this C3PAO will be on the streets, doing audits. No matter what result that C3PAO grants to any company will now forever be in the shadow of whether race was involved. Did the C3PAO certify the company because the company was all-white? Did they deny it because they saw a Black person working there? Did they panic, and start certifying everyone because they’re afraid of the fallout from this clown’s public comments?
There’s no good outcome now. The well is poisoned.
The concepts of impartiality and objectivity are entirely alien to the CyberAB, and especially its leader Jeff Dalton, so there’s likely to be no real concern in the short term. So far, the CyberAB hasn’t even seen fit to respond to the matter. But there will be concern when competitors start launching contract award protests and lawsuits, and point to public comments like that of this C3PAO clown, putting the entire scheme at risk.
They’re handing future plaintiffs all the evidence they need to prove this is a corrupt shit-show.
UPDATE 17 May 2023: Matt Travis, the CEO of the CyberAB has agreed to take action on this matter, and address it with the C3PAO rep.
I also updated this to indicate the commenting period has been closed for some time; it’s not clear why comments were added after the window closed.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.