|
The relationship between the media and information security
is intriguing. The media is quick to cover security-related
incidents such as worm outbreaks and intrusions into systems
and networks, serious vulnerabilities and so on, in many respects
helping in the job of raising public awareness of security
issues. The media’s fascination with information security
also has negative consequences, however.
Publicity stunts
Information security professionals, especially those who are
consultants, often compete for media exposure.
Several weeks ago the president, founder, and business administrator
of Forensic Tec, a California-based security consultancy,
were indicted for breaking into numerous US government and
Department of Defense systems. After allegedly breaking into
these systems, members of this consultancy openly bragged
about how easy it was to breach their security.
The press ran stories to the effect that some of the most
critical computers within the US were wide open to attack.
Interestingly, the indictment accused the individuals of creating
a publicity stunt to drum up business for this new, small
consultancy.
Cybervigilante
But Forensic Tec’s story is by no means unique. The
activities of Adrian Lamo, a cybervigilante who has often
found and publicized security holes in computers run by a
variety of organizations and then has offered to fix the holes,
have also made information security news.
Recently Lamo has been arrested on charges that he obtained
unauthorized access to computers; he has surrendered to law
enforcement authorities.
You may also recall the story of Rachel Metz, a reporter for
the Palo Alto Weekly, who accessed files containing students’
personal information by ‘war driving’ in a school
parking lot and then ran a story about her exploits. Metz
has not been arrested, even though it appears that she violated
several US statutes.
Immunity
What do these stories have in common? These cases are only
a few of the many in which people’s unauthorized access
to systems was at least to some degree motivated by a desire
for press exposure.
The funny thing about it all is that, at least until recently,
people whose stories of unauthorized access have appeared
in newspapers, magazines, newscasts and Web pages have seemingly
been immune from the consequences of their actions.
They could do almost anything they wanted, including violating
cybercrime statutes, without fear of arrest or civil lawsuits.
Cybercrime
Recent events also show, however, that things are changing
(at least in the US) — that, even though there may be
some apparent good (however small) in what at least some of
the people the press has covered have done, what these individuals
have done is, in effect, no different from what a cybercrimal
does.
After all, proving that systems are wide open is really less
than extraordinary. Undefended systems abound. Today’s
computing environments provide an incredibly ‘target
rich’ environment for attackers.
Nevertheless, the media seems to delight in publishing horrific
stories concerning how vulnerable systems are to attack, particularly
critical financial and military systems.
Glory seekers
Now that numerous arrests have occurred of individuals who
have gained overnight fame by having their unauthorized activity
publicized, one must wonder whether the activity in which
they have engaged (or, in some cases, allegedly engaged) would
have transpired without the receptiveness and sometimes open
encouragement on the part of members of the press.
It is time to re-examine the media’s choice of stories
and the slant used in covering them. I worry that elements
of the media may not only be encouraging those who engage
in unauthorized computer-related activities, but also that
they may be conveying certain kinds of information that may
encourage impressionable young people, keen for the ‘glory’
ascribed to those who prove that systems are open, to have
a go.
Training the press
We spend a considerable amount of our time and resources training
users, system administrators, management, and even school
children concerning conformance to information security statutes
and policies as well as ethical issues in computing —
a very good idea indeed.
Yet somehow we have overlooked the media in our security training
and awareness outreach. We need to turn our attention to this
forgotten element, the one that in some cases appears very
much linked to unauthorized actions performed by a growing
number of individuals who seek publicity.
Members of the press need to hear more about cybercrime laws
and the many ethical issues in connection with accessing other
peoples’ and organizations’ computers. The responsibility
for getting the ear of the media regarding these issues falls
squarely on us, the information security professionals. I
urge the ISSA, ISACA, the International Security Forum, and
other significant professional organizations to make training
and awareness for the media a major part of their future endeavors.
|
|
| Expert
Comment from Compsec Online: |
|
|
|
