8 June 2001

See related previous messages:

"CISSPs - Do You Know Your Organization"

http://cryptome.org/cissp-who.htm

(ISC)2's Response to "CISSPs - Do You Know Your Organization"

http://cryptome.org/cissp-who2.htm

FROM ANONYMOUS:

There is much more to the story of (ISC)2 than what a recent posting would suggest. (ISC)2 has become a witting or unwitting participant in a wider program of the US Government to nationalize the computer security professional community. The US Commission for National Security/21st Century recently proposed the creation of a National Security Service Corps, a Cyber Corps, and a National Security Teaching Program to begin recruitment of future government information security personnel from kindergarten through Grade 12, college, government service and beyond to subsequent employment in the private sector. This reach out program is part and parcel of an even greater attempt to deputize computer security professionals into people who are more than willing to follow the dictates of bureaucrats in Washington, even when they may conflict with the wishes of their own corporate management. We Europeans will never accept this approach in an area so sensitive to our national and supranational economic and political security.

The metamorphose of (ISC)2 into a witting or perhaps, unwitting, tool of the US Government’s plans began when certain elements achieved membership on the (ISC)2 Board through an ersatz candidate nomination process. Among these elemental links were those to the American Society for Industrial Security (ASIS), with, which the notable exception of former ASIS member and convicted Soviet spy John Walker, is the largest assemblage of proto-fascists one can find at any hotel cocktail party reception.

(ISC)2’s Board also has links to Vodafone AirTouch, a company that prides itself on giving NSA and GCHQ access to private cell phone calls in places from the UK to Fiji. One can only wonder what such back door access has to do with maintaining information system security in a professional climate.

International spy system at work in Fiji

Fiji Village - 4 Jan 2000

An AFP report says spies, special forces soldiers and some very sophisticated transnational monitoring were at work during last year's coup.

A top political source outside Fiji told AFP they had a unique view inside both the Fiji coup plotters and the Fiji Military Forces so they knew much more about what was going on. The AFP report says this was thanks to a US National Security Agency (NSA) communications spying system called "Echelon".

The AFP report says thanks to mobile telephone company Vodafone supplying most of the players with phones, and despite digital encoding, intelligence services were able to listen to all incoming and outgoing calls before and after May 19th.

Vodafone Financial Controller Pradeep Lal deferred questions until later this morning. Echelon is a vast dictionary of keywords, intercepts Email, fax, telex and telephone communications carried over the world's telecommunications network and is aimed at non-military targets, including governments, organisations, businesses and individuals.

The French national Assembly and European Union are currently inquiring into Echelon.

The Sunday Times, 31 January 1993.  Main section, p. 12.  (Home News)

SPYMASTERS ORDER REDESIGN OF `TOO SECURE' MOBILE PHONES 

by Christopher Lloyd

Last week a Department of Trade and Industry spokesman confirmed changes were being introduced to make it easier for security agencies ­ ranging from GCHQ, the British government's listening post near Cheltenham, to the FBI in America - to eavesdrop.

Vodafone, Britain's largest analogue mobile phone company, which has already installed 250 GSM base stations covering 50% of the UK population, said its network will need to be adapted to accept the new codes.

"Government authorities have made it known that they don't want this high level of encoding," said Mike Caldwell, the spokesman for Vodafone.

Caldwell said the problem with the original system was that it would take security services weeks rather than minutes to decode the conversations they wanted to bug.

The (ISC)2 Board also has links to Atomic Tangerine, which is ­ believe it or not ­ the new name for SRI Consulting of Menlo Park, California. SRI has long-standing links with the three-lettered US intelligence agencies. Atomic Tangerine now has a sweetheart deal with INTERPOL and its right-wing fanatic leadership of Ray Kendall and former US Treasury head cop Ron Noble -- the same guy who abruptly closed off Pennsylvania Avenue one midnight without telling anyone, including the mayor and transit authority. INTERPOL is trying to internationalize the sharing with law enforcement (namely INTERPOL) of sensitive information system security weaknesses by multinational businesses in much the same way that the FBI is seeking such access within the United States.

Atomic Tangerine is also reportedly supporting a new US military cyber warfare training center near Barre, Vermont at Norwich University ­ a military college that was recently named an NSA Information Security Education "Center of Excellence." The new cyber warfare center, which is officially run by the Vermont National Guard ­ appears to be a future (and very secretive) training center for US and foreign military and government computer hackers.

The Vodafone AirTouch and Atomic Tangerine links are at loggerheads with the stated goals of (ISC)2 to protect information infrastructures and not foster cooperation with companies that engage in such practices.

President Signs Bill That Includes $8.6 Million For New ‘Armory Of The Future' At Norwich U.

August 18, 1999

(Aug. 18, 1999) -- President Clinton has signed into law an annual military construction budget, including $8,652,000 sponsored by Sen. Patrick Leahy and Sen. Jim Jeffords, for construction of a modern new "armory of the future" at Norwich University in Northfield, for use by the Vermont Army National Guard. The senators had included the project in the Military Construction Appropriations Bill for federal fiscal year 2000, which the President signed Tuesday.

The funds are for construction of a 94,649 square-foot Vermont Army National Guard multi-purpose training facility to be built at Norwich University in Northfield, on land Norwich will donate for the project. The state is expected to contribute up to $200,000 for special design features.

The armory would implement a new concept for Army national guard training facilities, allowing low-cost computer simulations and video-teleconferencing capabilities. It also will house the headquarters and the headquarters company of the 86th Armor Brigade and several associated units, including an Information Warfare unit.

Since information warfare seeks to disrupt computer systems and infrastructures, one must question the following adherence of (ISC)2 to its own CISSP Code of Ethics, as follows:

• Protect society, the commonwealth, and the infrastructure

• Promote and preserve public trust and confidence in information and systems.

• Promote the understanding and acceptance of prudent information security measures.

• Preserve and strengthen the integrity of the public infrastructure.

• Discourage unsafe practice.

Odd company (ISC)2 is keeping in lieu of its stated commitments to system protection ­- links with companies that tap phone calls and those that support a future generation of military computer hackers. And this from an organization purporting to represent professional information system personnel. We think not!!

Now, let’s examine the recent counter-claims of ISC2 in a recent Internet posting.

(ISC)2 is a not-for-profit organization under the laws of the United States of America and is chartered in the state of Massachusetts.

Fair enough, except for the fact that (ISC)2’s Operations Office is run by a for-profit company ­ SMT, Inc., located in Dunedin, Florida at 2494 Bayshore Blvd., Suite 201. Well, how does (ISC)2 avoid the perception that it’s Operations Office and SMT are one and the same? (ISC)2 uses a local Post Office Box drop instead of a mailing address (a clear indication that they want to hide something). And where is that PO Box located? You guessed right ­ Dunedin, Florida (PO Box 1117).

(ISC)2 opened its European headquarters in London in March 2001.

Okay, but what they are not admitting is that its European headquarters is co-located with another for-profit company, the European subsidiary of MIS Training Institute (MISTI), System Security Ltd. (SSL). MISTI’s web site states SSL's address is Nestor House, Playhouse Yard, London. And where is (ISC)2’s European "headquarters" -- according to the (ISC)2 web site? You guessed right again ­ Nestor House, Playhouse Yard, London. Never have we seen such an attempt to bifurcate same addresses since FBI agent Guy Banister and Lee Harvey Oswald tried to convince everyone that 544 Camp and 531 Lafayette in New Orleans were two different addresses. That type of ploy didn’t work then and it doesn’t work now.

(ISC)2 has CISSPs in 48 countries other than the U.S. 

Hopefully, this figure does not create "countries" that do not really exist as separate nations, e.g., Puerto Rico, Scotland, Alaska, Hawaii, Wales, Northern Ireland, and England.

Allegations that the genesis of the CISSP program was based on a contract with the U.S. Postal Service are false.

It is true that the largest portion of the original and non-trivial seed money for (ISC)2 came from the US Postal Service, which requested (ISC)2 to tailor training to meet its special "needs" ­ read that as the US Government’s special needs. This contract should be available to the public pursant to a Freedom of Information Act and will specify amounts of money and services rendered.

The (ISC)2 Common Body of Knowledge (CBK) was based extensively on work performed by an international committee led by Mr. Corey Schou, a professor with Idaho State University.

This is quite an astounding claim when one considers that the early CBK committees met at the NSA’s C Group building at Friendship Annex and at the National Institute for Standards and Technology (NIST) before and during the Desert Storm hostilities, 1990-91 (at a time when access to NIST’s normally open compound was restricted). Obviously these would not be areas where one would find a horde of international committee people (even Canadians) attending such meetings.

Suggesting that the U.S. Postal Service contract was the "genesis of the CISSP program" fails to acknowledge the hard work of a number of U.S. and international information security professionals in launching the CISSP Certification program.

This is a true statement if one only considers Canada in the international category. However, most people around the world consider Canada to be merely the "near abroad" of the United States.

With respect to "the associated training remained largely U.S.-oriented, with heavy emphasis on the U.S. government standards developed in the early 1980s by the U.S. National Security Agency (NSA)." As most people who have been involved in information security since the 1980s know, the so-called "Rainbow Series" of documentation developed by NSA was a source of information security processes and methodologies.

The so-called Rainbow Series were never embraced by the private sector in the United States or abroad. Most people involved in information security since the 1980s are very much aware of this fact.

In 1998 and 1999 (ISC)2 invested significant effort and resources to "internationalize" the CISSP certification by removing references to US law and policy and incorporating international standards like BS7799.

Most people familiar with the testing and training in 1998 and 1999 know that an over-abundance of US law and policies were still contained in both. As for BS7799, this British standard was never adopted as an international standard and the British Standards Institute has never been recognized as an international standards body. The distinction is reserved for the ISO in Geneva, Switzerland. BS7799 is largely as meangingless to international practitioners and professionals as the Rainbow Series. We are led to believe that the US, Canada, and Britain somehow represent internationalization. From a continental European vantage point, nothing could be further from reality!!

(ISC)2 is an independent, not-for-profit company whose programs are not tied to any vendor, technology, methodology or government.

See self-explantory aforementioned on links with companies and government.

Moreover, it is a mystery why the author launches into a diatribe against the United States and concludes that any U.S. organization is automatically a pawn of the U.S. Government or puppet of the NSA.

Why would any country want to trust its infrastructure to an entity that has so many links with entities that seek to disrupt or spy on it?

(ISC)2 believes there is a clear need for Europe to endorse information security certifications as one of the ways to help safeguard its critical and sensitive information and systems.

That can best be done by Europeans for Europeans. Americans need not apply!!!

(ISC)2 is the independent body that has the knowledge, vast experience, and infrastructure to support the information security certification needs of Europe and the rest of the world.

"Independent body" is the questionable term here.