Celebrating Excellence in Cybersecurity, The Public-Spirited Work of András Ferencz

-

Celebrating Excellence in Cybersecurity, The Public-Spirited Work of András Ferencz


Earlier this week, a colleague reached out for a letter of recommendation. It reminded me that some of the most important acts of public service never come with a title, a badge, or a paycheck. They come from people who see a risk, understand the stakes, and choose to act anyway.

András Ferencz is one of those people.

Over six months last year (beginning in March), András, acting solely as a private citizen, independently identified and responsibly disclosed three significant cybersecurity vulnerabilities affecting Social Security Administration websites and online services. These were not edge cases or academic exercises. They were serious weaknesses that SSA missed, and if left unaddressed, could have exposed sensitive personal and federal tax information, enabled account takeovers, and created real opportunities for fraud against the American public

What makes this work exceptional is not only the technical skill involved but also the motivation behind it. András was not an SSA employee. He had no contractual duty to report these issues. There was no expectation of compensation, credit, or recognition. He acted out of a genuine sense of responsibility to protect people he would never meet and systems he did not own.

Each disclosure was thoughtful, precise, and actionable. The information provided allowed government teams to respond quickly and effectively. Because of András’s diligence, the security posture of a critical federal program was measurably improved, and risks to millions of Americans were reduced

In an era where cybersecurity is often discussed in terms of tools, budgets, and frameworks, András’s story is a reminder of something more fundamental. At its core, cybersecurity is also about character. It is about ethics, judgment, and the willingness to use one’s skills in the service of the public good.

András Ferencz represents the very best of what the cybersecurity community can be. Skilled. Ethical. Civic-minded. His actions reflect a deep commitment to protecting America’s digital infrastructure, simply because it was the right thing to do.

That kind of excellence deserves to be celebrated. Thank you, András.



Comments

Post a Comment

Popular posts from this blog

Breaking the Bottlenecks: Information, Access, and the Fight for Time ACRD 2026 Annual Conference Keynote: Kissimmee, Florida

-
  Good afternoon, everyone. Welcome to Orlando and the ACRD annual conference! It’s a pleasure to be here with you, and even better to see folks in person. We spend so much time on calls, emails, on screens, and helping others, that we don’t always get the chance to step back, shake hands, connect. You matter. You’re doing the hard work. This conference is your opportunity to lean in and connect with “birds of a feather”, other people doing the same work across this great country of ours. So, I am looking forward to the conversations this week. The ones in the hallway. The ones over coffee. The ones where someone says, “Are you seeing this too?” And the answer is usually, “Yes. Every day.” Now I will admit, when I saw the conference was in the Orlando area, I thought to myself, this might be the only conference where people flew in thinking they were going to Disney, and instead got a deep dive on disability policy, medical records, and administrative law. Not quite Space Mountain....
Read more

The McDonaldization of the Social Security Administration

-
Image
Imagine pulling up to a Social Security field office like it is a McDonald’s drive-thru. You state your problem into a speaker. You hand over your papers to someone trained mostly to take the order. Then your claim disappears into a distant kitchen, where some centralized unit, automated system, or overworked specialist is supposed to make sense of it all. That may sound efficient. It may even sound modern. But for an older person who cannot navigate a phone tree, a disabled claimant who cannot explain their life in a web form, or a rural worker who has paid into this system for forty years and now needs help, it feels like something else. It feels like being moved through a line instead of being served by a government that knows your name, understands your problem, and has the authority to fix it. Let me be clear. I believe in IT modernization. I believe in AI. I believe Social Security needs a serious digital future. Modernization is not the same thing as hollowing out service. AI is...
Read more

Obfuscation Is Not Security

-
Image
  There’s been much ado about sensitive information being shared inappropriately with the public. Reality is more nuanced and troubling. Most federal agencies possess deeply ingrained political instincts that overemphasize secrecy in public statements, rely heavily on “obfuscation” as a low-cost security strategy, and suffer from consistently poor operational security (OpSec). A prime example is the Social Security Administration. On February 26, 2014, then Acting Commissioner Carolyn Colvin testified before Congress, stating: “Although there is a low level of fraud in our disability programs, no amount of fraud is tolerable.” While well-intentioned, this kind of messaging sets unrealistic expectations for the public. Fraud is a risk in any large-scale system, and every major bank accepts certain loss levels as the cost of doing business. Striving for zero fraud is noble. Pretending it’s achievable without tradeoffs is misleading. As one former CIA Director put it: “If an organizat...
Read more