department of justice – Bredemarket

When Bureaucrats Cooperate…and When They Don’t

If you’ve read a few hundred job descriptions, one phrase that you’ll often see is “cross-functional collaboration.” The theory is that the employee (for example, a senior product marketing manager) will seamlessly work with marketing, product, R&D, customer success, sales, finance, legal, and everyone else, all working together for the good of the company.

But the world usually doesn’t work like that. YOUR department is great. The other departments are the bozos.

There’s actually a benefit to this when you look at government agencies. If you believe that “the government that governs least” is preferable to Big Brother, then the fact that multiple agencies DON’T gang up against you is a good thing. You don’t want to be chased by the FBI and the CIA and the BBC and B.B. King and Doris Day. And Matt Busby.

But there are times when government agencies work together, usually when facing a common threat. Sometimes this is good…and sometimes it isn’t. Let’s look at two examples and see where they fall in the spectrum.

The Central Intelligence Agency and the Federal Bureau of Investigation in 1972

Normally bureaucrats are loyal to their agency, to the detriment of other agencies. This is especially true when the agencies are de facto competitors.

In theory, and certainly in the 1970s, the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) have completely separate spheres of operation. But on the highest level they perform the same function: catch bad people. And each agency certainly wants to take the credit when a bad person is caught. Conversely, if one of the agencies has a bad person, the other one usually works to expose it.

Usually.

A few of you are old enough to remember a third-rate burglary in Washington, DC in 1972. The burglary took place at a political party office in some hotel or another. We now know with the benefit of hindsight that the FBI-CIA rivalry worked. Bob Woodward learned a few days after the break-in that two of the alleged burglars were connected to E. Howard Hunt, a former CIA operative. Who told Woodward?

“Woodward, we now know, had been tipped off by Mark Felt, the deputy director of the FBI. The Bureau had itself become involved in the investigation of a mere burglary because once the police found wiretapping equipment, the investigation fell under its remit.”

This is how it should work. Although the mere fact that Hunt knew Bernard Barker and Eugenio Martinez was not a crime, the FBI was certainly bound to investigate the matter.

Until it wasn’t.

“Richard Nixon and senior White House personnel including Chief-of-Staff Bob Haldeman and domestic policy tsar John Ehrlichman devised a strategy to block the investigation. This began to unfold as early as June 23, a mere three days after the break-in. That day, Haldeman proposed to Nixon to “have [Vernon] Walters [deputy director of the CIA] call Pat Gray [director of the FBI] and just say ‘stay the h*ll out of this’ on grounds of ‘national interest.’”

This recorded conversation would become very important two years later, but back in 1972 very few people knew about it. And very few people knew that Gray “destroyed secret documents removed from Howard Hunt’s safe.”

Think about it. If Richard Nixon hadn’t recorded his own conversations, we may have never learned that the CIA partially neutralized an FBI investigation.

But other instances of cross-functional collaboration come to light in other ways.

Immigration and Customs Enforcement and the Transportation Security Administration before 2026

The FBI-CIA episode of 1972 was an aberration. Normally agencies don’t cooperate, even when massive amounts of effort are performed to make them work together.

One prime example was the creation of the Department of Homeland Security (DHS) in 2002-2003. Because it was believed that 9/11 happened because relevant agencies were scattered all over the government, Congress and the President performed a massive reorganization. This affected the Departments of Agriculture, Energy, Health and Human Services, Justice, Transportation, and Treasury.

For our discussion:

The Department of Justice lost the Immigration and Naturalization Service (INS), which was broken up into three separate agencies within DHS. One of these is Immigration and Customs Enforcement, or ICE. Perhaps you’ve heard of it.

The relatively new Transportation Security Administration (TSA) was moved from the Department of Transportation to DHS.

The theory, of course, is that once all these agencies were under the DHS umbrella, they would magically work together to stop the evil terrorists. However, each of the component agencies had vastly different missions. Here is the mission of the TSA:

“Protect the nation’s transportation systems to ensure freedom of movement for people and commerce.”

Well, “freedom of movement” is not the primary part of ICE’s mission:

“Protect America through criminal investigations and enforcing immigration laws to preserve national security and public safety.”

While these missions are not mutually exclusive, the difference in emphasis is apparent. And the agencies competed.

Some of you may remember air marshals. After 9/11, some airline flight passengers were actually air marshals, but the passengers (and any terrorists) didn’t know which flights had air marshals or who they were.

The Federal Air Marshal Service (FAMS) was part of the Transportation Security Administration.

Until it wasn’t.

“Homeland Security Secretary Tom Ridge announced [in September 2003] that the federal air marshals program will move from the Transportation Security Administration to the Bureau of Immigration and Customs Enforcement (ICE).”

The idea was to concentrate all enforcement operations in one agency, to protect FAMS from uncertain TSA funding, and to allow ICE agents to be cross-trained as air marshals. But this didn’t happen, so two years later FAMS moved from ICE back to TSA.

And both agencies went on their merry little ways.

Immigration and Customs Enforcement and the Transportation Security Administration in 2026

Let’s look at a recent Biometric Update article.

“When Transportation Security Administration (TSA) Acting Director Ha Nguyen McNeill was pressed [by the House Committee on Homeland Security] on reports that ICE is using domestic flight passenger information to support deportation operations, she did not deny cooperation. Instead, she defended it as legitimate intra-departmental coordination and framed it as part of DHS’s overall mission set.

“In response to lawmakers’ questions, McNeill said TSA assistance to ICE is ‘absolutely within our authorities’ when it involves sharing passenger information for immigration enforcement operations.”

McNeill effectively said that TSA doesn’t dump its data on ICE, but responds to individual ICE inquiries.

Civil libertarians argue that this is mission creep, not the original intent.

“Airport travel…becomes a choke point for detentions – no longer just transportation, but a compliance checkpoint for civil enforcement, re-engineering mobility into an enforcement tool.”

And one more thing…

But I took special interest in McNeill’s contradictory statements that TSA is enforcing REAL ID while simultaneously allowing ConfirmID for those who don’t have a REAL ID.

In the future, it will be interesting to see how inter-agency barriers break down…and why.

Today’s Acronym is PIA (Privacy Impact Assessment)

(Imagen 4)

(Part of the biometric product marketing expert series)

Do U.S. government agencies simply run roughshod over your privacy rights?

Not exactly.

Government agencies are required to issue Privacy Impact Assessments (PIAs) for their projects.

The Federal Bureau of Investigation alone has issued over 60 PIAs.

For example, here is the PIA for CODIS, the Combined National Deoxyribonucleic Acid (DNA) Index System (CODIS).

And if anything needs a PIA, it’s CODIS, since it potentially contains your personally identifiable information…and the personally identifiable information of your relatives.

The PIAs themselves are detailed. The CODIS PIA includes 8 sections with 19 pages of questions and responses. For example, here is the response in section 8 regarding privacy:

The type, quantity, and sources of information collected by FBI CODIS are necessary to identify crime scene offenders, missing persons, or unidentified human remains, or to link multiple crime scenes. Such information is only further disseminated for these purposes. Moreover, NDIS does not store State Identification Number/Universal Control Number or otherwise collect, handle, disseminate, or store contributors’ names. Therefore, CODIS DNA profiles and pedigrees can only be matched to a named individual by the submitting Criminal Justice Agency forensic laboratory, independent of NDIS.

The privacy risks associated with the collection and maintenance of FBI CODIS information are inaccurate information, unauthorized access, and unauthorized disclosures.

The privacy risks associated with the access and use of FBI CODIS information are unauthorized access, unauthorized (or overly broad) disclosures, and loss of data.

The privacy risks associated with the dissemination of FBI CODIS information are the risks of unauthorized disclosures and loss of data.

The risks of unauthorized access, unauthorized disclosures, loss of data and inaccurate information are mitigated by the quality assurance standards promulgated by the FBI pursuant to the Federal DNA Identification Act. These risks are further mitigated by the system, physical access, network-infrastructure, auditing and quality assurance controls, as described more specifically in Sections 6.1 and 6.2, which are in compliance with FIPS Publication 199, as applicable.

The risk of inaccurate information is also specifically mitigated through the identity verification process performed by participating Criminal Justice Agency forensic laboratories to confirm a potential match. The identity must be confirmed prior to the disclosure of any personally identifiable information to the law enforcement entity who submitted the DNA sample.

Lastly, notice is provided as described in Section 5.1.

OneTaste: Know Your (Convicted Forced Labor) Business

If I get my products from my vendor, why do I need to implement Know Your Business (KYB) or Third-Party Risk Management (TPRM)?

Perhaps Compliance Week has a good answer:

“About 27.6 million people around the globe are ensnared by modern slavery, which refers to people being forced to work and losing their freedom due to imprisonment, threats of violence, debt bondage, or retention of their identity papers, according to the United Nations’ International Labor Organization.”

Yeah, but who cares about Third World countries?

Tell that to the former owners of OneTaste:

“As proven at trial, between 2006 and May 2018, [Nicole] Daedone and [Rachel] Cherwitz obtained the labor and services of multiple young women who had turned to OneTaste for healing and spirituality by coercing them to perform labor, including sexual labor, for the defendants’ benefit.”

Would you want to do business with THAT company?

Although it has undergone an ownership and name change:

“n 2017, Ms. Daedone sold OneTaste for $12 million, prosecutors said. The former OneTaste.us website now directs visitors to The Eros Platform, a community that still promotes it affiliation with Daedone, Cherwitz and and their Orgasmic Meditation practice. The Eros Coaching Collective still advertises a three-session OM training package for $525.”

Pay No Attention to That Man Behind the Curtain

H/T Donal Greene for this story of non-person entities that were really people.

“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”

From https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

Now the DOJ is indicting Albert Saniger for defrauding investors: https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

(Picture from Imagen 3)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola.

The Capability Maturity Model (CMM), from the days before CMMI came into being.
The entire ISO 9000 family.
The General Data Protection Regulation (GDPR).
The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
The Health Insurance Portability and Accountability Act (HIPAA).
The NIST Cybersecurity Framework (CSF).
I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services.

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

“CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
“It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
“CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)