We’re struggling to manage cyber security risk. Partly it’s because attackers are more agile than defenders. But it’s also because we struggle to get accurate information to make good risk management decisions. To make good risk management decisions we need to understand who the threat actors are, their capabilities, how likely it is that we will be a target and how we can best defend ourselves. To form these views we use information from different sources including personal experience, TV, movies and news. Unfortunately, there are a number of reasons why some of our cyber security news sources aren’t as helpful as they should be. In fact, they may be impairing our ability to deal with cyber security threats.
Firstly, cyber security news often asks us to accept a version of events from unnamed sources. The problem with unnamed sources is the lack of accountability. If the information is incorrect or false, either deliberately or accidentally, who do we hold responsible? Without someone’s reputation being at risk how do we give the information any value? This isn’t a new problem. In 2012 Marcus Ranum resigned from the SANS newsbytes editorial board in protest about the use of unattributed claims. Ranum was especially damming about unattributed cyber security claims about a sovereign power: “In the past decades, we have seen how the rush to war can be encouraged by yellow journalism, false reporting, and media manipulation”. A lamentable recent example of anonymous sources producing false news is the Washington Post’s discredited report that Russian hackers had infiltrated the US Electrical Grid.
Secondly, it’s easy to embrace narratives that align with our world view no matter how tenuous the evidence. We have ‘experts’ using their gut instinct instead of actual insight or direct knowledge. Russia expert Edward Lucas pronounced himself certain that Snowden wasn’t a genuine whistle-blower. Lucas had no special insight that we didn’t. He was just telling us something that fitted his world view of the Russians being omnipotent master manipulators and there being no possibility of anyone in the US cyber arms industrial complex acting out of conscience. Maybe Lucas is right. But the point is he can’t be sure and neither can we. His supporting rationale was so ludicrous that it would make great comedy if his views hadn’t been taken so seriously.
Thirdly, there is the trend for sensationalism. This is both from government officials and from the media who amplify to absurdity. The US Director of fear-mongering, James Clapper claimed in 2014 that “Looking back over my more than half a century in intelligence, I have not experienced a time when we have been beset by more crises and threats around the globe.” Well, except for the Cuban Missile Crisis, the collapse of the Soviet Union and 9/11. ISIS and Al-Qaeda can rest easy now that government officials are doing such a good job spreading messages of fear.
Lastly, the presence of evidence isn’t enough. Evidence needs to be peer reviewed if we’re going to have confidence in it. History is beset with examples where closed communities interpreted evidence incorrectly which was only corrected when shared with a wider community of experts. For example, the Guardian newspaper published an explosive article alleging that WhatsApp encryption was insecure and users were at risk without sufficient peer review. After publication the article was rubbished by the wider community of experts.
So why does all this matter? If we want to help the public and the organisations we work for improve their cyber security then we need to help them make better decisions. Making better decisions means insisting on good quality information. If we give people the impression that encryption can’t be trusted then they won’t use it. If we let nationalist narratives run wild using anonymous sources then we skew people’s understanding of internet threat actors. If we excessively scare people with a cyber Pearl Harbour then they won’t make good decisions. If we give people the impression that all leakers and dissenters are controlled by foreign powers then we won’t take the necessary steps to fix the reputation of our internal whistle-blower programs.
As a security profession we can be part of the solution. If you’re asked to comment on ‘news’ which relies on unnamed sources then call out the lack of transparency. If you see good quality reporting based on peer reviewed evidence then praise it. It’s in all our interests that our cyber security reporting is as accurate and accountable as possible.
A version of this article was published in the May 2017 edition of the ISSA Journal.