April 5, 2013

What is Happening v. What The Media Says Is Happening

While cybersecurity certainly does get coverage in the mainstream media the particular stories that are covered and the way they are covered tends to create a distorted picture of the current landscape. When members of the media confuse the difference between "good reporting" and unauthorized disclosure of classified information it makes a big difference in terms of the perception of the story. In fact, it makes a huge difference in terms of how we perceive collections of stories and even broad trends in security.The media made no mistake in talking about the case of Bradley Manning as a breach of national security information and a criminal act. However, the disclosure of information regarding US involvement in a cyber campaign designed to spy on Iran and stall their nuclear program was widely credited to "good reporting." The picture that emerges is of the bad guys and good guys. Manning, the Iranians, and the Chinese are the bad guys, and we are the good guys- including whoever leaked the details of a classified cyber offensive against Iran. What we focus on is the "Us versus Them" instead of questioning the value, purpose, and agenda behind the mounting cyberwar rhetoric or questioning the sensibility in escalating a war for which the US is not as well-armed as it traditionally has been for conventional wars in which it has engaged.One other point here is that there is a significant muddling of the term cyberwarfare. In the mainstream media, pretty much anything involving the US government, China, and some sort of cybersecurity topic is labeled as cyberwarfare. However, these stories range from cyber espionage to cyberwar with most of what has transpired probably being most accurately categorized as some sort of cyber-aggressive-international-relations (or cyber chest-thumping). Essentially, we're talking about state-sponsored attacks of some form against either foreign governmental targets or elements of a nation's critical infrastructure. The media has lazily resorted to classifying all of them as cyberwarfare, and that does tend to paint a particularly hawkish picture of events.What we end up with is one bucket of stories revolving around state-sponsored malware and other such topics indicating that we're involved in some sort of hidden war with China and Iran. I am willing to bet that a large majority of the US population would guess that at any point in time we are engaged in espionage campaigns against foreign nations. Conversely, few would believe that there are wars the US is involved in against other major world powers that they do not know about. Calling espionage war changes our reactions to it. We have different expectations in terms of what the outcomes of war are versus espionage, and we have generally been willing to give things up in support of a war (luxury goods, food, freedoms).The trend of coverage of these stories began with the news regarding Stuxnet in 2010 and with the confirmation that it was a product of US and Israeli offensive cyber efforts. With the flurry of news stories in mainstream news media it became clear to the general public that concepts previously relegated to movies were in fact connected to reality. Since then we've learned of Flame and Gauss, and at least partially in response to US attacks on Iran, the US banking sector has been subjected to repeated attacks from subjects in Iran and elsewhere. In addition, the US and China remain constantly focused on cyber attacks, espionage, and commercial interests have been drawn into the fray as the US government accused Huawei of trying to introduce a glut of network devices with Chinese-government backdoors in them into the US market.The real attacks will continue, but it is the posturing that is getting hot and heavy. If there is a real “war” going on here it is best classified as a Cyber Cold War.While the attacks get a lot of coverage, they tend to remain somewhat disconnected. They are one-offs that generate a lot of press and interest, but they are not part of a unified story. For example, what makes it into the press is that there is an ongoing campaign aimed at knocking US financial institutions offline. It is translated into lay-speak by focusing on what the attack is (ie- an explanation of DDoS); how access to your bank might be impacted; the potential malware associated with it and how to protect against it; and a mention of who is responsible.There is little in terms of the post-incident research going into the stories. Attribution is difficult obviously, but it is generally possible. However, it is not necessarily immediate. The problem with news media is that the story is a story now, not next week or thereafter when logs, malware samples, and other indicators are poured over to determine exactly what happened. So, by nature these stories are almost always going to be published during the containment and eradication phase of the incident, which is not the time that analysts are stopping to do the investigation to determine the source.What might be a more important story for the media to tell is how these issues relate. How are the attacks on US banks potential retribution for Stuxnet, Flame, and Gauss? A key focus obviously needs to be determining whether the attacks on banks were carried out by the Iranian government, Iranian hackers loosely affiliated with the government, or even just individuals or a group operating out of Iran but with no ties to the government. Once we turn from immediate reporting to a more investigative look inside the people and the motives associated with these stories the mainstream media can begin to actually inform the public about what's happening and why they need to care about things like:

  • The use of drones;
  • The meaning of the Tallinn Manual; and
  • Changes to privacy laws in the US.

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!