The cognitive dissonance¶

What clients believed they had¶

A security partner inside the trust boundary, whose tools were their tools and whose observations served their interests.

This belief was not unreasonable. The services were good. The advice was sound. The incident response exercises produced genuine improvements. Clients trusted the provider on the basis of real evidence. What was cultivated was not a false impression of competence. It was a false impression of complete alignment, which is considerably harder to detect and, it turns out, considerably more useful to maintain.

What clients actually had¶

A provider running third-party surveillance tooling across their infrastructure and forwarding the results elsewhere. The security services were real. The surveillance ran alongside them, indistinguishably, using the same access. Clients were not deceived about what they received. They were not informed about what else was happening while they received it.

The distinction between active deception and the management of disclosure is one the MCLU is somewhat tired of having to make, primarily because it is raised most often by parties who would prefer it not carry consequences.

What this means for the advice clients received¶

Clients did not simply have their data observed. They had their security posture developed by a provider who was simultaneously reporting that posture to a third party. The vulnerability assessments were conducted by someone forwarding the results elsewhere. The hardening recommendations were made by someone who passed the remaining gaps on.

The advice may still have been good. The assessments were made by someone who was also briefing someone else on what they found, and that someone else has not been identified. Clients who built subsequent security decisions on those assessments should factor this in.