I had a great conversation with Nick Selby this afternoon, and one of the many topics we discussed was triggered by a couple of his recent blog posts about critical infrastructure- one touching on the 60 Minutes
piece hack-job and another on Fudsec about where the risk should be placed.
At first, I was really wound up about Nick's post on the 60 Minutes piece because he seemed to be excusing sloppy "journalism" because the value of reaching a wider audience outweighed the problems of questionable reporting. [Part of my reaction was certainly due to my contempt for 60 Minutes, I feel that that they don't do investigative journalism, they are what is wrong with "investigative journalism" on television. The fact that 60 Minutes is generally less horrible than anything else in genre is not comforting]. In case you somehow missed it, there was quite a bit of furor over 60 Minutes' claim that a Brazilian blackout was caused by hackers. Robert Graham had a pretty terse post about this on the Errata Blog, and Rich Mogull did a good job of providing a balanced perspective.
My take on the 60 Minutes bit is that investigative reporting should investigate, and do so with a significant dose of skepticism, and report findings honestly. I also think that we as the audience have a responsibility to be skeptical of the reporting. 60 Minutes' hacker claim could not be backed up conclusively (at least not publicly and on the record), so I believe they should have been honest about that instead of going for the hype. If they had said something like
"There are some conflicting reports as to the true cause of the outage, but we have high confidence in our sources. What may be more troubling than the actual cause of the outage is the fact these systems are so vulnerable to so many attacks, and so poorly monitored and regulated, that even after a major outage the true cause cannot be determined conclusively."
I would have been happy with that. But, that isn't a sexy soundbite. Oh, well, it is television.
I thought Nick's post on the Fudsec blog was good, but it included a fairly flip comment about the ease of mitigating the Aurora vulnerability (585k PDF), which triggered objections. Nick clarified his position on this in a comment to his post. The central idea of the post is an interesting one- that getting customers mad at the negligent utilities and demanding improvements is the way to address the problem of vulnerable private critical infrastructure. I am not sure how likely that is to happen, but that is the capitalist way to do it, and money talks (although it has nearly lost its voice of late).
Where does this leave us? Nick has made some very good points, and I think he has hit a fundamental problem in trying to get the word out to a larger audience than those of us in the security world: how to simplify the issues into concise and understandable language (NOT dumbed down) so that non-professionals can understand it, while not running afoul of appropriately detail-oriented, accuracy-demanding professionals.
This has to get sorted out, too much effort in the security community is spent in navel-gazing, chest-beating, choir-preaching, and other hyphenated silliness. We need to engage and educate people outside our community if we are going to make real progress.