American consultants in the cybersecurity space are flush with new powers and enthusiasm, brought on by a raft of certification schemes like CMMC. Unfortunately, they are making the same mistakes as the decades of quality management and ISO consultants before them, setting the stage for a nearly identical result: alienation and frustration of their target audience.
Let’s agree on one reality: no one grows up to become a consultant. Students don’t graduate from university on Friday and open their consultancy on the next Monday. Instead, consultants are grown out of one of two conditions: they either quit their last job, or were fired from it.
The exact circumstances of the consultant’s departure from their prior job would, of course, determine the level of baggage they bring with them on their journey. For some, the departure was friendly enough and had little impact on the consultant’s mindset. For others, the departure was a dumpster fire, and the consultant’s worldview has been permanently tainted.
This manifests in demonstrable results. ISO 9001 is the world’s most famous ISO standard, and covers the subject of quality management systems. It is based on the 1950’s defense standard MIL-Q-9858, and was first published in 1987. We literally have decades of experience with its content and surrounding ecosystem.
Over many revisions, drafted by quality management consultants who dominate the ISO 9001 technical committee, the standard has changed to reflect the personalities of its authors. Clause 5.1 on “Leadership” has grown into a monstrous list of personal grievances, demanding that “top management” demonstrate respect and obedience to the QA function. Some of ISO 9001’s authors admitted to me, during the many interviews I made while writing Surviving ISO 9001, that yes, they were frustrated and wanted to have the risk of de-certification weighing over the heads of executives who denied them a seat at the executive table.
This means that the quality consultants had failed in making the case for their discipline, and were relying instead on brute force – knowing that government and prime contracts often demand ISO 9001 certification as a condition for bidding – to get their day in the sun.
Deming Was An Asshole
We also see this with the mythology surrounding quality’s foremost “guru,” W. Edwards Deming. The mythology goes that Deming was a genius who developed many modern quality concepts, tried to pitch them to the UK and US, and was snubbed. He then took his ideas to Japan and single-handedly saved that country, turning “Made in Japan” from a 1970’s snide insult to the quality imprimatur we recognize today.
The reality is not that. Deming was a sullen, irritable, and often angry guy, who alienated his audience by demanding loyalty to his ideas, and then accusing critics of heresy. His publications are replete with pompous attacks against the powers who rejected him. Deming failed to sell his ideas because he was a miserable messenger. In Japan, he had more success, but even some of that was based on him repackaging ideas already present in that country, developed by actual Japanese. Deming benefited from the post-war, racist “white savior” myth that only an old British guy could turn around those yellow savages.
To this day, Deming is mis-worshipped, based on this mythology. Worse, following Deming has turned into a mindless cult, where his acolytes now try to shoehorn in ideas from the 1960s into 21st-century technological advances like AI, quantum computing, and continuous automated production.
The cybersecurity and CMMC crowd are now repeating history. Once again, the standard and certification scheme has been handed over to the private consultants for stewardship. Once again, those same consultants are willing to make the standards complicated in order to sell “deciphering” services afterward. Once again, those consultants are failing to win over the hearts and minds of their intended audience, failing in their messaging, and instead relying on the “standards bully pulpit” to beat companies into submission.
There is a troubling – and noisy – caucus of consultants who demand CMMC compliance, for example, on the argument that “you have been legally required to be NIST compliant already, so if you’re not ready for CMMC, that’s your own fault.”
To which the Defense Industrial Base says, “hey, you’re kind of a dick.”
The ISO quality folks did the same thing, pointing back to contractual requirements for MIL-Q-9858 compliance. Over the past 30+ years, the argument only backfired. ISO 9001 adoption in the US has dropped off to all-time lows, with the intended user base rejecting the argument and, frankly, getting pissed off at those saying it.
The ISO 27001 certificate scheme, for information security management systems, suffers the same fate: sure, there were contractual obligations and laws demanding minimal IS controls, but ISO 27001 certifications remain dismally low in the United States anyway. The IS crowd hasn’t learned yet that using threats to win contracts doesn’t work.
Worse, this argument ignores the fact that the US government is filled to the gill-holes with regulations that go unenforced. ITAR, HIPAA, ADA, heck, even seat belt laws, are enforced only sporadically, and typically through an occasional case where a government body picks on one person or company to “make an example of them.”
Suddenly calling for 100% compliance to “the DFARS” is disingenuous. (It’s also hilarious coming from members of the CMMC Accreditation Body which, itself, is in violation of the Americans with Disabilities Act, and a host of other Federal laws.)
Arrington & the Privatization of National Defense
Katie Arrington – whose background was in the sales departments of cybersecurity consulting firms – launched CMMC based on this threat model. She demanded loyalty to her program, and declared – without any grounding in reality – that CMMC would become the law of the land yesterday, and anyone not adopting it would eventually be prohibited from selling anything to the US Federal government. And not just the DOD, mind you: CMMC was going to be adopted across all of government, so even if you sold a 3-hour training session to the Department of Education, you were going to need CMMC certification.
Arrington then surrounded herself with cybersecurity consultants, because that was the world she knew and the friends she had. The results have been predictable. A monstrous overnight cottage industry – no, let’s call it what it is: a dystopian multinational industry – popped up overnight, happy to parrot Arrington’s false claims in order to sell their wares. That was quickly coupled with a now-meme-worthy trope that “you should have been doing this all along anyway, so quit griping and buy our stuff.”
As expected, it’s going over like a lead balloon filled with more lead.
The cyber guys aren’t paying attention to history. They don’t care that this tactic was responsible for the US losing ISO 9001 certifications so that our totals are now in line with what we had back in 1997, and dropping fast. Within the ISO scheme, entire US certification bodies went out of business, tens of thousands of auditors were dropped from the work, and the survivors have had to eke out remaining business in third world countries where selling ISO certs is cheap and easy (and without that pesky conflict of interest oversight.)
Much of this falls in the lap of the US government itself. If Russia bombs an Alaskan pipeline with a drone, the DOD will treat this as an act of war, and apply a military response. The DOD wouldn’t demand the pipeline company build its own private military and buy its own anti-aircraft weapons to defend itself.
But if Russia destroys an Alaskan pipeline using some code sent from a dude’s basement in Ukraine, the DOD will instead demand the pipeline company mount – and pay for – its own defense. The DOD will then get indignant that the private company didn’t have its own national defense policies and procedures in place all along.
To be clear, the US Constitution creates only one mandatory function for the Federal government: the preservation of the national defense. All other duties in the Constitution are, according to Jim Talent of the Heritage Foundation, “permissive in nature” (emphasis added):
Congress is given certain authorities but not required by the Constitution to exercise them. For example, Article One, Section Eight gives Congress power to pass a bankruptcy code, but Congress actually did not enact bankruptcy laws until well into the 19th century.
But the Constitution does require the federal government to protect the nation. Article Four, Section Four states that the “United States shall guarantee to every State a republican form of government and shall protect each of them against invasion.” In other words, even if the federal government chose to exercise no other power, it must, under the Constitution, provide for the common defense.
Naturally, privatizing national cybersecurity defense won’t work, and no nation has ever been able to properly defend itself by demanding the victims do their own military. That’s not how nations work. But it is how the current US policy approaches cybersecurity, because we have a government that does not understand any technology invented after the rotary dial telephone.
But consultants are more than willing to go along with this, because ka-ching.
Let’s be clear, though: this will not shore up the nation’s cybersecurity footing. This will not make us safer. It will make the Arrington Gang a lot of money in the short term, but will weaken us as a nation. If China and Russia see that they can mount far more successful attacks on the US without spending money on building tanks and airplanes and submarines, and that the US will simply shrug off defense responsibilities back on the victims, it’s win-win for the bad guys.
So how to fix this? First, the US government needs to take cyber attacks seriously, and use the world’s largest military budget to shift towards cyber defense. Instead of a “Space Force” to address attacks that may never happen, there should be a “Cyber Force” since those threats are already here, and having real and effective impact. A country like Nigeria will never have the tech to launch attacks from space, but they will have some college grads who can take down a water treatment facility via an internet connection.
Like the Space Force. Heck, do both. Shift some of the funding that currently goes to Lockheed and Raytheon for hardware programs that never actually come to light, and put them into the Cyber Force budget instead, where they can have an actual impact on Day One.
Next, cybersecurity consultants need to learn from history, and stop being Deming-like irritable, abrasive assholes. They need to sell programs like CMMC on their merits. That means presenting a vision for what CMMC will achieve, how it will do so, and why this is important. People will understand that it’s new, and that its advocates cannot provide decades of “past performance” – we all get that. But instead of lying and threatening, tell us how this will work. Win the hearts and minds.
Finally, the cybersecurity folks need to learn to read the room. Despite an imagined (and entirely fabricated) illusion that cybersecurity certifications are in demand right now, this is not the time for price gouging. You don’t get to call yourself a patriot and then jack up your rates so you can buy a new boat. Costs must allow the most companies possible to pursue the certifications. This should not be yet another program that only allows the Lockheeds and Raytheons to succeed, and which puts small defense contractors out of business. That’s not patriotism, that adherence to totalitarian plutocracy.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.