Posted by Kevin on November 12, 2016.
Robert has thrown down the gauntlet (What reporters should know about infosec); and against my better judgement I feel compelled to respond. It’s not that I disagree with him, but I feel a view from the other side is required.
A reporter reports the news. He (to include she from hereon) does not comment on the news. That would make him a commentator (or, in today’s parlance, a blogger).
Inherent in being a true reporter is the need to find out and verify what actually happened. This is not possible in infosec reporting today. The concept of jumping in a car and driving to the scene of an accident or fire and speaking to eye witnesses does not translate well to a large corporate hack or a DDoS that takes down the eastern seaboard. The modern reporter is forced to rely on the understanding of ‘experts’; and his reports are reduced (or expanded) to the quality of his contacts – who all have their own axe to grind.
Modern economics also play a part. Most reporters are required to file a set number of stories for a set fee; or perhaps receive a set fee for each story delivered, regardless of the time spent on each story. The quality of news reporting is unduly affected by the need to pay a mortgage. That shouldn’t be so, but it is the reality.
And a final comment on reporters. The source of much news is the ubiquitous press release – and press releases, dare I say it, lie and distort the truth. Here’s an example. It’s not a good one, but it happened today and illustrates the point. It also touches on a major endpoint security firm that will not be unknown to Robert.
This firm published a report entitled Tesco Bank not alone in being targeted by Retefe malware. Now why single out Tesco Bank? It’s no more relevant than any other bank to the content of the report – but it is guaranteed to attract attention. And attract attention it did. Shortly after this was published I received a press release with the headline, “Comment: Many other banks at risk from malware that hit Tesco.” The release went on to say:
[Firm in question] researchers have discovered a link between the Tesco Bank breach and the Retefe malware. The Retefe trojan horse goes after users’ online banking credentials, which can be then misused to conduct fraudulent transactions. The campaign began at least as far back as February 2016.
The combination of the headline and this first sentence creates a lie. It is obviously a lie and would not fool any half-reputable infosec reporter. But reporters report the news. This lie was told. Should the reporter report it as news?
Here the answer is simple. No. And no more than a couple of minutes will have been (no, actually were) wasted. But many lies are more subtle. They are mere falsehoods or distortions, and can take an hour or more to discover – assuming that they are indeed discovered. That hour or more will represent a high proportion of the time that can be spent on a single story if the reporter is going to make a half decent living. Is he to abandon it and start again with something else; or try to make the best of a bad situation?
In reality there are very few reporters left. The publishing market doesn’t want them. Publishers want their writers to add value to press releases. Indeed, this is a necessity. A very great friend of mine, who also contributes to this site, once said to me, “If you’re not going to add your own opinions, you might as well just reprint the press release.” But of course, as soon as you add your own opinions you become a commentator using value judgements, rather than a reporter.
From hereon I’ll use the term ‘journalist’ to describe the modern reporter/commentator.
Incidents reported by infosec journalists generally revolve around a particular piece of malware or type of attack, or a particular type of product, or a new technology advance (which may or may not actually be new) and so on. There are millions of pieces of malware and dozens of types or attack and an infinite number of company IT environments, and new technology advances in dozens of technologies – and the journalist has no prior knowledge of which combinations he will be faced with each day. He will also receive dozens of press release comments from different experts, whose sole purpose is to distort the reality of the incident to promote their own products.
From all of this he has to discover and relate what actually, or at least probably, really did happen. His critics, however, are most likely to be genuine experts within one field, or a fairly narrow combination of fields.
It is, frankly, an impossible job – and yet I would suggest that there are many infosec journalists who make a pretty good fist of it. And, sadly, some that don’t.Submitted in: Expert Views, Kevin Townsend's opinions |