We need to expect more out the press, policymakers, and the pontificating “Cyberwarfare Experts” producing stacks of reports about the “Cyber-security threat.” Graham Messick, the CBS producer of this 60 minutes episode on “Cyberwar: Sabotaging the System,” did not do his due diligence as a reporter. A standard tool for building balance in a story is to find counterpoints. There was not one counterpoint through the entire episode! We need to expect more. We need critical review. Without critical review, we get distracting FUD which distracts the world from cyber-security challenges which are impacting businesses today.
Some flaws that I saw:
- No counterpoint to Michael McConnel. While I respect Adm McConnel’s time in service, his experience, his record, and his insight, a balanced story would have counterpoints to his assertions. He is pulling from classified resources, sanitizing them, and then providing analysis. Public risk cannot be gauged unless you counterpoint with others who can see other evidence which will reinforce or counterpoint the analysis. With no counterpoint, the only thing you have to do by is “trust me – I know what I’m talking about.” This is not acceptable in today’s world. “Trust but verified” is a guiding principle – especially with the multitude of Washington DC “Cyber-Security Experts. It also does not help to have a backdrop in the opening shot of Adm McConnel walking with the Booz Allen sign advertising where a viewer can get help. This devalues Adm McConnel’s analysis.
- There was way too much newspeak about “the Enemy” and “the Chinese.” We have people who have grown up in the “cold war” analysis that allowed people to point fingers at the Soviets. We cannot do that with today’s cyber-security threats. The “cyber” situation is much more complicated. There is not equivalent historical mapping. Using broad “blame the Chinese” statements INCREASES THE RISK. Why? Because it assumes control over cyber-warfare assets. Nation-state cyber-warfare has a check and balance. A country like China will not sanction a cyber-incident which would threaten the US infrastructure, economy, or ability of the US to pay back its loans to China. In a way, the borrowing from China puts a “throttle” on the threat. But there is no throttle on the ~500,000 ‘hackers’ in China who are not controlled by the Government of China. They have not “throttle” to their behavior. They are motivated by patriotic passion, ego, and greed. They whack down sites, organizations, and institutions weekly – even which big media campaigns in China asking them to “behave.” They are complicated, un-controlled, smart, and effective. So when we get reports like this 60 Minutes article which says “the Chinese,” we are doing the viewers a disservice. The simplistic painting communicates that the government of China is the threat and can control the “Chinese Threat.” Reality is that no one can “control” the 1/2 a million smart patriotic hackers in China. That is a much bigger threat.
- Who is the “Enemy?” Another vague outline which whitewashes the complexity of the threat. There are motivational and risk differences between the motivations behind the “Nation State,” Cyber-Criminals, and the P³ threat (Politically, Passionate, and Patriotic). In essence, the “experts” are not explaining the complexities – trying to generate some sort of “reaction,” yet not serving the public good.
- Brazil – was it really a targeted attack or collateral damage? The many of these “sources” in the “military, intelligence, and private security sources” cannot break apart a collateral damage incident from an intentional targeting of a resource. The “Brazil” incidents cited in 60 minutes had more to do with the collateral damage of malware infecting the power infrastructure than any sort of “planned attack.” The references make people think that there is “someone in control.” That is scary, but not pointing out the real problem. SCADA’s (power infrastructure) the real problem is malware spread through a network, then infecting other machines, and then collaterally affecting the SCADA network as the infection spreads and/or the “BOTNET Herder” who is mining the malware pokes around and explores the network. This is another “expect more” example. By ignoring the bigger threat of “collateral damage” for malware, the producers make it seem that “some bad guy” is out there that we can do something about. The problem is worse, complicated, and a lot harder to address.
- Talking to experts who do not “fight the battle.” In this environment, beware talking to anyone to glosses. Ask questions of how many “attacks” have they run to ground, defended against, or did the postmortem work to do an RCCA (Root Cause Corrective Action). There are plenty of people who fight the fight. These Policy Wonks tend to hype things to their favor. Example, talking about “some foreign power.” When there is no evidence that it was a “foreign power.” There is evidence that it is someone not residing inside the US. That difference is a BIG difference. “Foreign Powers” have throttles – which are controlled by some sort of governance. While these “Foreign Powers” might be hostile to the US, they have a measure of control – influenced by other real-world pressures. But, statistically, the “Pearl Harbor” incident at CENTCOM was more likely a P³ or Cyber-Criminal attack. Both of these are not “foreign powers.” Both are dangerous in their own way – and in many ways a more scary way. Cyber-Criminals are motivated and “governed” money. There has to be a cash flow from the cyber-attack. No cash flow, no attack. If Cyber-Criminals hit CENTCOM, their “take” would be to sell something – access, data, hijacked computers, etc. As long as there is some sort of monetary return. Now, the monetary return could be selling to P³ or Nation State resources. P³ is the scarier of the two – given that there is no “governance.” A terrorist, a passionate political “protester,” or patriotic citizens (of another country) all do not have “throttles” to their behavior. This makes them more dangerous.
On the great side, Sean Henry – Assistant Director of the FBI’s Cyber Division – really pointed out the real threat from Cyber-Criminals. “I’ve seen attacks where there have been 10 million dollars lost in one 24 hour period. If that had happened in a bank robbery where people walked in with guns blazing, that would have been headline news all over the world.”
In a way, the “cyber-crime” digression in the middle of this 60 Minute piece is a better-produced segment. Why? Most likely the production team worked with the FBI – people who are ‘crime fighters’ who are working on the front line. This demonstrates the need to contrast sources – taking information from policy people and provide counterpoints from people who are on the front line. In essence, we need to demand more out of the press. The cyberwar reports coming out of the “Beltway” requires critical review. Without critical review, we get misleading and self-serving reports designed to generate business for the sponsors of the authors.
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.