Fear, uncertainty and doubt (FUD) are an inherent part of the cybersecurity industry. There’s a sky-is-falling quality to almost everything that transpires in this space and in the related stories on which the news media reports. If it isn’t the deadliest-ever malware on record, it’s the worst-ever breach or the most dangerous flaw in the Internet’s core underpinning. Every system and every service is always just a heartbeat away from catastrophic failure. Everyone is scrambling to patch, update, mitigate and avert a digital disaster from a variety of attackers.
Avoiding Cybersecurity Armageddon
Around every corner, there’s the deep-pocketed nation-state actors, the unimaginably sophisticated cyber gangs, the slimy botnet operators, the opportunistic identity thieves and, of course, the advanced persistent threat (APT) gangs. They’re plundering and pilfering personal data, stealing state secrets and committing corporate espionage on a mind-boggling scale. Our power grids, transportation systems and financial networks are always just one solitary breach away from a digital Armageddon. Our software and databases leak like sieves. Things are so bad it’s pointless even to throw money at protection methods because everyone knows you are going to get breached anyway. At least, that’s what many headlines would have you believe.
Anyone who has been associated with the cybersecurity industry has likely gotten accustomed to such FUD-based thoughts. They also have more knowledge, making it easier to distinguish facts from extreme rhetoric. But with security becoming a mainstream concern affecting almost everyone who uses digital technology, it’s seriously time to tone down the noise and focus on the real issues. That process has to begin with recognizing the source of FUD.
Vendors have typically been the targets when it comes to assigning blame for spreading FUD, using it as a way to sell their products. But does the news media have a role in spreading it as well? After all, FUD needs a way to propagate, and there are few platforms better for it than the news media. If FUD sells products, it also begets clicks — plenty of them. More people are turning their attention to the role that the media plays in framing security headlines. It was even the topic of a session at this year’s Infosecurity Europe conference. But this subject is more than just a hypothetical: It’s a real issue that security and IT teams, as well as communications and marketing professionals, should know how to recognize and address.
News Media: Professional or Propaganda?
Stories that cast security vulnerabilities, data breaches and cybercriminals in an overly dramatic manner often tend to do better from a page view standpoint than stories that simply state the facts for what they are. Hyperbole sells, so why risk the unembellished?
Often, all it takes is a single unvetted report for a feeding frenzy to begin. In the rush to meet deadlines or dominate headlines, facts can get conflated and confused. A breach that exposes a million email addresses gets the same breathless treatment as one that leaks a million social security numbers. Every attack on a government network poses a critical threat to national security interests. When the details are sparse, pad the story with predictions of what might have happened or what could happen. Run with a report because everyone else is doing it, and because it’s unacceptable to miss out on a story. The lesson is: When everyone is screaming “fire,” don’t be the only one asking “where?”
Vendors have a role to play in all of this. A lot of the FUD starts with them — in their blogs, in their reports and in their whitepapers. Every campaign they uncover is the most sophisticated one they have come across. There is no new malware they have ever encountered that wasn’t more advanced than anything they have seen before. Every APT campaign they see poses a threat to huge swathes of the Internet, even if the number of victims they have actually counted is in the single digits.
The noise needs to subside. For that to happen, the media must ask more questions and be more skeptical. Vendors need to start telling it like it is and not how they think the media wants to hear it. Even individual security professionals can do their part to further this aim, helping the media stay informed on issues and communicating in a way that allows everyone to understand the facts.