The U.S. Central Command is investigating the anomaly involving the testing center that grants et hical hacking certifications for government contractors who are supposed to aid the agency in protecting government secrets and systems from other hackers.
The U.S. Central Command is the military agency tasked to lead operations involving the Middle East. Recently, the agency partnered with the neophyte U.S. Cyber Command on the cybersecurity attack against Iranian missile control system which has dismantled Iran’s missile power.
Needless to say, the U.S. Central Command is a highly sensitive unit. Because of this, the agency is hiring ethical hackers who possess a certification that they are a) ethical in their hacking practice; and b) can think like a hacker in order to perform tasks that only a legitimate hacker can.
This is where the problem stems from as revealed by the independent investigation conducted by FOX 13. According to Ted Carrier, a cyber defense analyst for a contractor at the U.S. Central Command inside Tampa’s MacDill Air Force Base, the ethical hacking certification was mostly cheated on by takers and the firm that administers the test is complicit.
Carrier said that he and other applicants taking the ethical hacking certification was able to get undue help in order to pass the exam. He says in March of 2017 the contractor they worked for, SAIC, provided them with a cheat sheet that contains the exact same questions and the answers therein for the next day’s test.
“So we reviewed the questions and answers, thinking it was something similar to what we’d see. But the next morning we realized that it was exactly the same questions and same answers as the actual test,” Carrier said.
The lack of basic knowledge of the job following the ethical hacking certification requirement was observed by senior employees in the agency.
“In order to do this job you need to have this core base of knowledge, and all of the sudden you had people who don’t have the core base of knowledge accomplishing the duty,” said Jim Restel, who after retiring from the CENTCOM came back to the agency as a civilian contractor for the same job he did before his retirement and was forced to comply to the new ethical hacking certification requirement.
Restel told the investigators that he was working with SAIC during the time that the CENTCOM contract of the firm was about to expire in 2017. In order to secure the renewal of the contract, the cybersecurity firm rushed to have all of their employees certified.
“They came in verbally. They said ‘Well, who do we have available to take the test?’ They said we need to have as many people as we can in there because that makes us competitive,” Restel continued.
He confirmed the earlier statement coming from Carrier. He said that he along with Carrier and twenty other cyber-defense analysts in the firm was told to study a reviewer, which apparently contained the exact questions and the answers for those questions for the ethical hacking certification exam.
“The first questions come on the screen, and it is exactly the same as we had in the test bank earlier,” Restel said. “The sequence of the questions were different, but the actual questions and the answers were identical. The options of A, B, C, D were exactly the same. Identical.” He said that he essentially passed the certification test by cheating.
“I can’t tell you if I would have passed or not, but I was sweating it. I’d say 50-50 chance.”
As a response, SAIC, who won the bid in 2017, said that they had investigated the allegations thrown at their firm and determined that the claims have no basis and denied any wrongdoing.
“Our internal investigation concluded, and according to our findings, there was no misconduct, and the allegations were not credible. SAIC is a respected leader in our industry, and this alleged misconduct does not reflect our core values and culture of integrity. We take every ethics complaint seriously and ensure that all are investigated thoroughly,” they said in a statement.
“Our investigation determined that employees had access to practice exam questions to prepare for the C/EH exam. These practice exams were through a test preparation vendor and are available for download online. Access to that information is not unethical. The exam on test day was administered by a third-party testing vendor and was taken in person at a government facility, and on a computer.”
Nonetheless, Carrier has filed a complaint against SAIC regarding his experience to the U.S. Central Command for he believes that what happened was “unethical.”