Why Hyping Cyber Threats is Counterproductive

Robert Lee and Thomas Rid have a new paper: "OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy."

EDITED TO ADD (11/13): Another essay on the same topic.

Posted on November 6, 2014 at 2:54 PM • 13 Comments


anonNovember 6, 2014 5:33 PM

I'm a sys admin for a medium size investment bank. We have our own proprietary messaging system that's used by everyone here from the executives on down to our college interns.

We've always used 3DES w/ 2048 bit RSA keys ... every now and again, someone will suggest a move to something more secure but we're invested in ASIC hardware and I seriously doubt that this setup isn't secure enough for our purposes.

Even an extreme adversary like the NSA would IMHO not bother trying to break our crypto unless the contents were considered a critical national security issue for them and even then ... I'd expect them to resort to other methods because the computational costs of such an attack would still be astronomical.

... most of the internet will tell you that we're fools who are playing a dangerous game with our client's data but I haven't bought the hype yet.

bitstrongNovember 6, 2014 8:58 PM

OK, looks like "hype" is one of those words that can mean anything you want it to mean.

ThothNovember 6, 2014 10:28 PM

The problem is simply down to human issues. The politicians, chief of agencies ... it's all politics. They want drama, they want attention, they want fame, they want wealth and fortune which by hyping something astronomically big, they will become famouse and rich with enormous power. It's just their agenda.

Silent UndergroundNovember 7, 2014 12:33 AM

I would hazard a guess that very possibly the everyday people are being played exactly because they tend to be scared. It is kind of an instinctive note to yell at them, isn't it?

Yet, one they nobly respond to. (Nobly there being sarcastic.)

(When you have to explain you are being sarcastic you know there is a problem.)

Andrew_KNovember 7, 2014 3:37 AM

The cynism thing is so very real. I can totally relate to it. It's what finally made me change sides. Granted, I'm no longer the one making the decisions. But they were no real decisions anyway ("should we order investigation of this potential thread?" -- who would say "no" without being afraid of the risk becoming a real thread and then being the one hold responsible -- especially if budget is not the problem?). And it of course has a financial advantage. Even if what I do makes no sense at all, the customer demands it and it pays well. And yes, from time to time I try to tell them that they order silly things. But then again my contact is not the one to stop things.
Feel free to critcize my sentiment, but the more often I read the very paragraph on it in the paper, the more it I feel portrayed.

Talking more global: There has evolved an unhealthy tendency to overshooting. Something happens and it's an outlier from "normality" (that is, it's "news"). It draws attention of those usually not concerned with a topic. Suddenly the directors and the upper management start asking questions arbitray details -- say on TCP SYN Cookies and whether we are using them and what not. Because they have heard that TCP SYN is a dangerous thing used by the bad guys. We should totally stop using them. That will be a topic on tomorrows board meeting. Of course.

What happened to the days when managers trusted the people working for them? When they would just lean back with the tought of "I have good men working for me. I do not need to babysit them. They will do their work and I can focus on mine."

This leads to interesting speculation: Hyping things up to management is a perfect way of hiding management staff having no real tasks. So they must make up something to have to do. And security is a perfect area to make something up. No one doubts security issues to be both relevant and important. So important that it needs more boards and directors and managers handling it.

Andrew_KNovember 7, 2014 3:46 AM

@ anon:
I like your reasoning.

If the state wants to know something, it will find an easier way. Like getting HUMINT. Using keyloggers. Tapping phones. The usual freshmen missons.

4kj3fjk3nk3jnNovember 7, 2014 5:31 AM

It's marketing and economics. Why do you think anti-virus companies still use signatures instead of a full HIPS(apposed to current partial opt-in ones that are supplemented with weak signatures) with offline-installer that protects the boot chain and ring 0? It's not because they don't have the development throughput to do it in a realistic time-frame.. It's because there is a continued profit model selling a subscription apposed to a license for an occasionally patched software..

Also, the financial figures in security headlines aren't even approximations and most 'person' figures are based on very poor audits.. It's all smoke and mirrors based off what little they actually invest..

RELATED NOTE: I've long believed this is why x86 MMUs haven't implemented write-back hashing and DLPAR userland type functionality, pretty much killing even advanced ROP attacks..

anonNovember 8, 2014 12:24 PM

A warrant would probably be the most effective option for the government to eavesdrop on our company's confidential communication. I would like to think that we can trust the operational security, good faith and competence of the employees with access to sensitive information - minimizing the risk of human intelligence ; but I'm biased in favor of my colleagues.

If their intentions were illegitimate and they thought that even by playing loose with the facts - that it would be difficult to convince a judge to issue a warrant ... then I would suspect them to resort to human intelligence. By "their" I mean the FBI which we know has a more linear fall back based approach ... if the NSA is targeting you, they'll probably utilize multiple approaches simultaneously and utilize their options, as needed, during their investigation. The way that they use technical, human and legal methods against their high profile targets like social media, network technology and service infrastructure organizations.

Traditionally, banking is considered the most critical target for cyber-criminals and we've come to expect the most stringent security practices from financial organizations. But I think that recent revelations show that companies like Cisco, L3 and Facebook are far much more lucrative targets that are compromised by more sophisticated attackers.

Wesley ParishNovember 10, 2014 4:55 AM

The canonical theme song for hyping threats is of course,

Brave Sir Robin Ran Away

Brave Sir Robin ran away.


Bravely ran away away.

("I didn't!")

When danger reared it's ugly head,

He bravely turned his tail and fled.


Yes, brave Sir Robin turned about

("I didn't!")

And gallantly he chickened out

****Bravely**** taking ("I never did!") to his feet,

He beat a very brave retreat.

("all lies!")

Bravest of the braaaave, Sir Robin!

("I never!")

'nuff sed?!?

Martin BonnerNovember 13, 2014 6:51 AM

3DES+2048bit RSA: That looks a perfectly sensible ciphersuite to me. It's not what I'd choose if I was starting out from scratch today, and I'd be a bit concerned if it was the cipher suite for an archive system that needed to be secure for decades (RSA Inc suggest that 2048bit should be good until 2030.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.