August 27th, 2017
“Greetings. My name is Kumquat Kwame, a prince of the Nigerian royal family, and have I got a deal for you!”
Classic email scams tend to involve mounds of money, obviously, a deceased Nigerian relative without a bank account, royal connections, and a gullible foreigner. These things abound, you wouldn’t believe the size of the royal family down there.
Scams like these are everywhere, they’re an annoying part of the digital landscape.
In the last few years however, they’ve become more dangerous and less participatory. Now the scams aren’t convincing you to part with your data; now it’s about hacking your systems and taking your data, and other nastiness, more aggressively and less traceably.
Cyberattacks can be ghastly expensive and dangerous.
That’s where the Canadian Standards Association (CSA) comes to the rescue. They’ve launched a new cybersecurity program. Now that CSA is on the case, our computers will be safe and secure. Brace for a digital wave of peace, prosperity and ponies for everyone.
In October, 2016, said CSA, a “distributed denial of service attack in the US dramatically demonstrated the impact of a malicious attack on unsecured internet-connected devices.” Worrying indeed. “Operators and the service providers who support them must be concerned about a host of negative consequences of cyber-attack, including… [then CSA pauses for effect, and with spiffy formatting] …breach of data security, interrupted operations, loss of revenue, unplanned recovery expense, liability of legal action for negligence, [and] tarnished reputation.”
As an aside, isn’t that exactly what CSA’s been suffering in consequence of their attacks on PS Knight? I digress….
“Failure to implement suitable security measures during the product design process can leave connected equipment and networks vulnerable to attack.”
Naturally, this leads to the pitch, the plug and pitch for CSA certification services. You see, CSA wants you to pay them to certify that your system is secure.
They’re serious about the service, they even launched it with the release of a White Paper on cybersecurity. Anyone can download their White Paper, provided you agree to CSA emailing you advertisements. You can’t read the White Paper without signing up. It’s mandatory marketing.
For all that, the CSA White Paper is unlike any White Paper on any policy issue that I’ve ever read; at five pages it’s hardly exhaustive, the content is self-serving, unsubstantial, elementary, and it reads like a tourism brochure targeting ESL graduates. The only White Papery bits are found on the last page, and these are wrapped into an advert for CSA services.
Specifically, they’re selling “Gap Analysis” and “Bench Testing” services. These purport to “determine the overall areas of cybersecurity weakness and necessary improvements” to safeguard your systems with “resilience against known cyber-attacks.” And CSA is apparently on the cutting edge of such things. “By integrating the CSA Group Cybersecurity Evaluation” with their other paid offerings, customers can “out-pace the rapidly expanding cybersecurity threats.”
CSA can out-pace digital crime? Really? John Delorean comes to mind; “Would you buy a used car from me?”
More serious than CSA’s purported product seriousness is their lack of seriousness in their authorship. The CSA White Paper (let’s be generous with the term) is authored by a Mr. Matt Jokuc, CSA’s sometime Product Manager, Cybersecurity Technical Lead. I’ve never heard of him, and I asked around and I looked around, and nobody I know seems to know about him either. If he’s flying under the radar for security reasons, he’s doing an awfully good job of it.
Would you trust a no-name consultant to ensure your system security? What if that no-name’s brand had a record of appalling cockups?
Consider that back in February of 2016, the CSA somehow accidentally announced that their newly minted CEO, David Weinstein, was being replaced. That is, they posted that they were recruiting for a new CEO on two different digital platforms; on their own website and on their LinkedIn page. We reported this, and CSA had a tantrum over it. Apparently they weren’t recruiting for a new CEO, they just accidentally posted the digital vacancy. Twice.
In our reporting in 2016, we noted that CSA’s erroneous LinkedIn posting was still online a week after we exposed it. Why? Well, said one of our sources, “because CSA doesn’t know how to delete it!”
Said a CSA staffer; “Headquarters is a black hole of IT expense, but divisions are pretty much on their own for any systems that are not SAP. You can’t make this stuff up! Information technology is a lost art at CSA. They spend mind-boggling amounts of money on IT, but they have very little to show for it.”
“Former members of the IT department rarely discuss how dysfunctional it is, because [they] don’t want their own reputations linked to a bunch of bizarre anecdotes.”
You want a CSA anecdote? Their CEO vacancy posting on LinkedIn is still live right now, a year and a half after we reported it.
So, if it takes a year and a half for CSA to figure out how to remove a single posting from LinkedIn, and after all that time they still fail at it, then on what basis can we consider CSA an IT expert on anything, much less cybersecurity?
And that’s before we consider their record of faked testing, falsified documents, and fabricated certifications.
Actual cybersecurity consulting is on the cutting edge of IT, it’s about systems-savvy professionals, credible and capable delivery; it’s about accurate anticipation of multiple adversaries’ actions. In this, if one were looking for cybersecurity expertise, CSA wouldn’t naturally leap to mind.
Yet, says CSA, their testing of your systems “will provide greater assurance that [your] products being delivered to the market have the highest confidence against vulnerabilities. CSA is very pleased to announce that we can offer these services [giving] designers a complete suite of testing and certification services.”
Well gather ‘round folks, it’s Kumquat Kwame, and has he got a deal for you!