Many of you may have watched the “60 Minutes” segment on Sunday entitled “Sabotaging the System.” The 20-minute segment highlighted a number of alleged past and potential cyber attacks, including power outages in Brazil, an attack on the military’s Central Command, and theft of millions through hacks of ATM networks. Beyond somelegitimate disputes as to whether the Brazilian blackouts were caused by hackers or by the build-up of soot and dust on high-voltage insulators, the broadcast raised some serious questions as to the appropriate balance in the report. While we’re all used to the press relying on fear, uncertainty, and doubt (FUD) to generate news in niche areas where the public would likely be bored to tears with discussions on minute details, the “60 Minutes” segment seemed less an exercise in sensationalism than one of laziness. As one blogger noted, a simple Internet search would have pointed out that the source of the outage may not have been a cyber attack. That isn’t to say that a cyber attack isn’t plausible or that natural causes are much less embarrassing, but it seems a bit irresponsible to not even mention alternate causes. For an investigative reporting outfit to simply take government officials (or former government officials) at their word seems to fly in the face of the way journalism has been practiced for the last 40 years.
In reality, much of what passes as intelligence within the critical infrastructure sector about security events seems to be more based on rumor and innuendo rather than sound investigation. This is undoubtedly due in part to the fact that private sector operators who own most of the infrastructure are loathe to report such events, particularly when there is no obvious harm. One cannot fault journalists for reporting what they know. However, simply reporting that the Brazilian electric company disputes the claim or has no comment might imply that the full story is not being told. There are some real threats facing our critical infrastructure that are clearly in the public interest to be disclosed. However, such reporting, and ultimately efforts to fix the problem, loses its credibility if operators feel that any good faith efforts to report incidents will be met with exaggeration and grandstanding. The media does a decent job at rooting out corruption and disclosing matters of public concern without telling a one-sided story. One would hope that they don’t feel it is okay to skimp on their reporting duties when the subject is more obscure and less familiar to the general public. Those of us in the information security community should work to see that the full story is told whenever possible.