The ISACA Disgrace
Why I believe ISACA board and leadership team must resign.
By Ehden Biber
Forward:
My mother, who was born in a Gulag in Russia, never warned me about anything in her whole life. Last week she did. "Don't talk. It's dangerous. It would be really hard to find a job if you speak out". I understand my mother, but I remember what another survivor of one of the Russian gulags have written:
“In keeping silent about evil, in burying it so deep within us that no sign of it appears on the surface, we are implanting it, and it will rise up a thousand fold in the future. When we neither punish nor reproach evildoers, we are not simply protecting their trivial old age, we are thereby ripping the foundations of justice from beneath new generations.” (Aleksandr I. Solzhenitsyn, The Gulag Archipelago 1918–1956)
I owe my mother, my maternal grandparents, and everyone who ever lived under a regime based on lies the commitment of speaking out when I feel truth is not being told.
Here is my truth.
"Disgrace: embarrassment and the loss of other people's respect, or behaviour that causes this" (Cambridge dictionary)
I have been a member of ISACA for a long, long time. My first certification was CISA, which followed by CISM and CRISC. I have been a director in the London chapter of ISACA, I have many friends who are ISACA members, and therefore I am aware that it will make many of those whom I worked with and love very uncomfortable, but I feel there is no other option: I believe ISACA board and/or leadership team must resign, as they have betrayed the Code of Professional Ethics of the organisation.
Background:
On the 1st of December 2020 I've written the following open letter to ISACA:
------------------------------------------------------------------------------------------------
TO:
ISACA board of directors, ISACA leadership team
CC:
ISACA chapter boards and members
SUBJECT: 2020 US PRESIDENTIAL ELECTION - OPEN LETTER TO ISACA
The 2020 US presidential election is being disputed these days in multiple courts across multiple US states. There are multiple legal complaints which have been filed, challenging the results with claims of inappropriate and ineffective governance and management of the voting information systems and related technologies, including the quality of the voting system audit, control, security and risk management that took place before, during, and after election day. The plaintiffs claim that these inappropriate and ineffective governance and management of the voting information systems and related technologies has violated the requirements as stipulated in the electoral system specifications set forward by the US constitution and all supporting legislations.
Security is a social construct. Without free and fair elections there can be no democracy. In a democratic society, the election system is the most important information system that exists, because without it there can be no trust between citizens, and without trust there can be no democracy.
ISACA’s own code of professional ethics states that “Members and ISACA certification holders shall: Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.”
I believe that we, the people who have dedicated their professional lives to safeguarding the confidentiality, integrity, availability, and authenticity of information systems, have a duty, as citizens, to act as custodian of the election systems in our countries. Because democracy is the most sacred enterprise of any free society, I believe it is our duty to make sure that elections will be performed in accordance to the election system specifications. This is NOT a political, partisan issue, nor an isolated US issue.
I therefore call upon the ISACA board of directors and leadership team to urgently publish a statement on behalf of ISACA, encouraging all of its members to support any ongoing investigations in order to provide assurances to the security and accuracy of the 2020 US presidential election results. Failing to do so will not only be a violation of our own code of professional ethics, but a violation of our duties as citizens who care about the security of our societies and the peaceful future of humanity. We, as ISACA members, have both a professional duty to our code of professional ethics, as well as a moral duty when it comes to the core information systems that govern our society.
Kind Regards,
Ehden Biber (CISM, CRISC, CISSP)
London, UK
------------------------------------------------------------------------------------------------
A day after publishing the letter I discover a video of a person who had identified himself as someone whose company has worked as a sub-contractor for Dominion, and who was in charge of writing tests for the ballots accuracy. The person was talking about the potential problems were how his state handled main-in voting. He said that the machine voting and code is solid, in his opinion. HOWEVER, he stated that there is, because of the way they did mass mailout voting, there was a HUGE vulnerability in the election system, and the fact that all the ballots that come out of the machines when they are made are digital PDF files. They are unsecured, there is no chain of custody, when they are created on the county software (EMS), they are being sent to the printer, to his company that was creating tests for the machines, because they need it to do testing to the ballots. Before the mass mail-in ballots it was not a problem, and the mail-in voting was miniscule. However, the way the mail-out voting was just being sent, and there was not a lot of tracking of the ballots (who receive, who send them back etc). The sheer amount of ballots there was no good chain of custody.
He then showed a USB stick, which he claimed had on it all of the Wayne County ballots, because he wrote the tests to the state. The guy was speaking from his bedroom. No one had a problem with it. No one had a problem that when these ballots were sent to the printer it was put on a google drive, which allowed google employees to have access to it. There was no chain of custody at all. If someone wanted to print ballots all he needed was to have the files, like this guy had. After that, you can then go to a printer and print ballots (e.g. on a laser printer), as long as the cardstock paper was used. As long as the timing marks were correct, the machine would read them. He said IF there was an election fraud, "because of our irresponsible mail-in voting system, were we just mass mailed it out, there is plenty of cover for a 100,000 ballots coming out at night... there was no chain of custody, nobody knows what to expect... All the ballots are anonymous, so you will never know, that's the story of this election... because of the mail-in system you will never be guaranteed to know for sure the legitimate president... THIS WAS A CLUSTERFUCK... There is no chain of custody on ballots, that's a big deal, that's a big freaking deal. If election officials don't take that seriously they are screwing the public out of an accurate election."
He end by stating that he doesn't know anyone for Dominion, and that his company contracted for Dominion in the past to perform the tests for Dominion. And by the way, his first words in the video were "Well, I'm probably going to get fired over this."
I shared the video with ISACA, and received no response neither to my letter and to the video I shared. That was on the 2nd of December.
On the 3rd of December, as part of the Trump legal team presentation of their legal case at Georgia Senate hearing, Dana Van Buren-Smith Gave Testimony During Georgia Senate Hearing on Election Fraud. Dana, a registered nurse, was a pole worker for the November 3rd election, and a Pole watcher on the 1st initial paper ballot count on November 13rh and a Pole watcher for counting the absentees ballots on November 16th. Not politically associated, Data is a licensed practical nurse for 32 years. She decided to do her patriotic duty to be a pole watcher. In her testimony she describes how number locks, which acts as a security controls to secure the bags which were suppose to be used to transfer the ballots to the counting centre, but they had no chain of custody forms, and the responsible for the polling station refused to do a chain of custody form and demanded they will throw them into her car. "In my job, as a nurse", she explained, "If you send a urine (sample of a) drug screen to the lab and its all sealed up and you have no chain of custody form you throw it away because the chain of custody form is what proves it hasn't been tampered with." She tried to speak with the local election authorities and asked to make sure the bags are still sealed and do a chain of custody form, and their local election office refuse to do so. All our paper ballots were unsecured. When they did an initial count of the paper ballots it came out in cardboard boxes, not in the bags it was sealed with".
She added
"I don't give a rip who won. what matters to me is that the people's vote is more protected than their urine. Think about it, it doesn't matter who won, those paper ballots were not secure. I don't care if you're a democrat, a republican, I don't care if you voted for Minnie Mouse. The process is flawed when your urine (sample) is more protected than your vote... those are my voters, it's my job to protect their votes, its your job as legislators to ensure that there are safeguards for their votes, and when the law is broken and people don't follow the law you're suppose to make sure that they do."
And now there is this, an official order from the director of Michigan Bureau of Elections has gave an order to WIPE ALL THE MACHINES that were involved in the elections (see below). If anyone think it is OK to do so when there are calls for investigation of fraud they shouldn't really be working in the field of information security, and they shouldn't be certified, especially from ISACA.
And this:
I can provide more evidence here, of computer experts and mathematicians who testified there are severe anomalies, which all indicate there is something that must be investigated, but I think you got my point - this does not look good. So, WHERE IS ISACA? Could there be any more important enterprise than our democracy? This is not political at all, this is about the fabric of our society. How dare you ignore your professional duty as an association that suppose to uphold the trust in, and the value from, information systems if it chooses to ignore the most sacred system of all in a democracy? If ISACA does not call for its members to make sure they will protect the system that allows it to exist, it shouldn't exist, more correctly, it's management and leadership should resign. Where there ISACA certified people who were part of the design of these systems, or were involved in the operation of these systems, or audited them? If so, they are in direct breach of our code of ethics. Are you investigating into it? If so, why not do it openly?
Final words:
I am aware this is not a popular opinion. I am aware there are more people who hate Trump, especially in Europe, and who work in our profession than those who support him. I am aware that the above is a suicide move to make a non-popular opinion. But as Dana Van Buren-Smith said, it is about the apparent flawed election system. If we are living in a democracy I have the right to hold my opinion, to use the freedom of speech to express it, and to have an open discussion on it. If not, the disgrace is on ISACA, not on me.
ISACA board and leadership team - it is time to stand up for our code of processional ethics.
PS
I was hoping to publish an article on the neurological and biochemical reasons to WHY people are unable to perceive reality correctly from both sides of the political spectrum but as my hypothesis will shock many I need more time to go over the research on the topic, and due to the death of my mother-in-law I barely have time to do so. I will publish it as soon as I can.
With deep gratitude
Ehden Biber
London