Late last week, controversial researcher Jonathan Scott posted what ultimately created concerns about Olympic security among the masses, claiming proof the Chinese app provided to Olympic athletes is a full-featured audio surveillance product, even more so than earlier announcements from the University of Toronto's Citizen Lab. The claim was rebroadcast by a high-profile news columnist, a sitting U.S. senator and others sounding a fierce alarm, and cybersecurity researchers and reporters who concluded Scott misinterpreted his purported evidence. The hype went in one direction, follow-up research veered in the other.
In general, in a world where your boss's boss is more likely to follow Marco Rubio on Twitter than someone with a DEF CON hoodie profile pick, company leadership is more likely to pick up on an undeserved public panic than a rational infosec rebuttal. When leadership gets immersed in the wrong threat — whether it's a nation-state on the cover of the New York Times or a plot point on last night's episode of "NCIS" — security pros risk wild goose chases. Luckily, there are strings to pull to untangle a CEO.
There are real problems associated with focusing on the wrong threats. The obvious one is missing the real threat.
"We might see it on a day-to-day basis as we're protecting the customer they haven't implemented MFA or what have you. And if you haven't implemented MFA, but you want to talk to me about Chinese nation-state attacks, that doesn't make any sense," said Dave Merkel, chief executive officer of the MSP Expel.
But there are deeper problems, too. Practitioners will not be able to keep a five-alarm pace for every threat, and leaders need to save their steeliest nerves for the hard decisions for a real crisis. Merkel calls it a "cry wolf" problem.
Traditionally, the big reason information security officers and other executives fail to connect has been a lack of a shared language. Learning how to talk in terms of risk instead of technology has been a long struggle for people in information security. As the community improves on that front, Merkel said the next step is learning to construct a narrative within the language of risk can be a key way to convince a board room.
When a bungled threat is the public narrative, it can be tough to win a battle of competing experts, even if (as in the Olympic app case) there are far fewer experts on one side than the other.
"Humans are already not super good at talking and thinking about risk, like, as a species — QED, the last year," said Merkel. "And when you add into that someone in the cybersecurity field, leaning into the panic, it's easy for it to get inflamed."
"My reaction was slamming my head against my desk," he said.
One strategy, Merkel said, is to explain how peers and well-known companies are addressing the same issue with pragmatism.
"Often, especially if you talk to business executives further and further away from the security circle, the thing they want to know is how they are relative to their peers as opposed to seeking for a pure understanding of their absolute risk," said Merkel. "'Where am I in the pack?' So you can provide some context that they would not be the only person to look at this critically and not panic."
Pulling this off requires some level of networking to know what other companies are doing. But many regions and industries have CISO groups ready to join.
Another way to dissuade panic is having the assessments, preparations and contingency planning done thoroughly enough to immediately place a bum threat in a greater hierarchy of things to be concerned about.
"Have a proactive, not a reactive mindset," said Josh Lospinoso, chief executive of the transportation security firm Shift5, a former red teamer for the U.S. military, as well as an offensive operator. "That mindset definitely helps to keep you from reacting in a knee-jerk way to issues that get caught in the news."
Beyond figuring out how to approach executives, Lospinoso said it is important to consider ways to minimize the number of stories that get out of hand in the first place. One way to do so, he said, is having a mature disclosure program.
Researchers' enthusiasm for their discoveries sometimes leads to exaggerated announcements, he said, and the disclosure process can be a key mechanism to temper inaccurate claims. In the case of the Olympic app, this was not a real possibility — China was not going admit to surveillance. But in general, finding an honest compromise point to discuss vulnerabilities and work out differences has real effects on how security issues are discussed by the public.
Your disclosure program could be a check against someone else's boss's panic attack.
"One of the reasons I love cybersecurity so much is there's an academic sort of feel to the way that security research gets done. It is it is a marketplace of ideas,” Lospinoso said. “There's no central authority that's orchestrating security research. Marketplaces of ideas are fantastic, but they can also be very noisy, and there is no corollary to the peer review process, the coping mechanism that academia sort of came up with. I think the closest thing we have to a peer review process is responsible disclosure.”
