News You Can't Use: Typical Cybersecurity News Coverage

One of my colleagues here at Pythia Cyber has begun a series of posts about specific news items. For instance, here is his collection on the current role that passwords should play in your cybersecurity both as a user and as a manager in a company with public-facing computer assets. There is also a series coming on social engineering.

He does a great job of explaining the particular significance of these items, which has inspired me to comment on the general (in)significance of these items. Because that is the unpleasant truth about news coverage of cybersecurity: all too often the coverage falls into one of two categories of useless: fear-mongering and advertising.

To me, fear-mongering (and its cooler younger sibling, click-baiting) is reporting on something that seems bad without establishing proper context and without providing any kind of solution. The "16 Billion Passwords Leaked!" headlines all too often were followed by breathless descriptions of this giant trove of passwords--maybe even your passwords!--that was found on-line. Oh, no! What do I do? Freak out? Wallow in despair? Shrug and try not to think about it?

My colleague gave some great practical advice in that series, which we all should follow whether we are wearing our User hat or our Managing Public-facing Computer Assets hat. But the point in this context is that he gave advice. And not a simple "don't use your kid's birth dates or your spouse's name or your pet's name as a password" but a longer explanation of what passwords are now good for and what passwords are no longer good for. This is the opposite of fear-mongering: this is fear-controlling.

This matters because of the usual reactions listed above: confusion (well, what do I do about this?), panic (I'm freaking out!), despair or apathy (shrug and try not to think about it). None of these reactions will make you safer. None of these reactions will motivate you to take positive steps in the right direction. "Made you look!" is not a very productive game to play with your readers, even if it can be profitable.

Speaking of profitable, all of these reactions will make you more receptive to a sales pitch. This is the greater of the two evils: advertising masquerading as news. Take the article which inspired the second series, an item in the Wall Street Journal about the perils of social engineering, which ended with a plug for a software solution to a management problem. Newsflash: there are very, very few management problems which can be solved with software. This is why we have managers in the first place. The idea that managers would seek a software solution to management problems gives me the creeps: do these managers not believe in management?

So what would I have preferred to see in this second article? I would have preferred to see an analysis of the core problem, the contradiction facing 21st century Tech Support and Customer Service. On the one hand, we want these groups to be friendly, accommodating and to help the incompetent get around having been locked out of computer systems. On the other hand, we want these groups to be suspicious of social engineers and to assume that anyone who cannot establish their identity is an attacker to be repelled. This is an impossible situation for these workers. To help them navigate this tension we have to provide them with good support (MFA, mostly) and help them be mindful. We want more and better human input, not less and worse (throttled by a rule set encoded in software) human input.

Even more, we need to recognize the role that corporate culture plays here: we routinely fire suspicious and therefore "unhelpful" support people while we routinely reward welcoming and therefore insecure support people.

Did the WSJ lay out the core problem, with a challenge to middle management to do a better job? No; the WSJ did a little preparatory fear-mongering and then suggested an easy way out: software of some kind, which would detect problems (but that is what your cybersecurity program should be doing) and hopefully stop these problems as well (but that is what your cybersecurity program should be doing). Inept journalism? Journalism slanted toward what the readers want to hear? I have no idea why the article was unhelpful but I am very sure that it was unhelpful. It certainly did not help the person who brought it to our attention for explanation.

Whichever category a news item falls into and whatever the root cause of the unhelpful coverage, the fact remains: we here at Pythia Cyber are often asked to comment on news items by colleagues and clients and friends because so many news items about cybersecurity leave the reader confused and uneasy. I liken these unhelpful news items to articles about how oxygen is toxic, at least in high concentration, or that water can be poisonous in large amounts. Ok, sure, but even so I strongly recommend breathing air and drinking water.

I also recommend having a well-grounded, de-mystified cybersecurity program (NIST CSF) in your organization and I recommend being a mindful user of computer systems (password manager). You can do it and Pythia Cyber can help.