Blog

There has been a lot of talk out there recently around FUD and public disclosure, with the usual industrial cyber security pundits weighing in on all sides. With videos such as the Aurora demonstration, Ira Winkler’s RSA presentation, and a whole host of other inflammatory articles, people are wondering whether such articles are doing any good or not.

I have heard some great analogies lately as well. Notably my favorite came from Jake Brodsky during a podcast interview he and I did together over at Digital Bond’s website with Dale Peterson. He likened such articles to an “Energy Drink.” Great analogy: You get a big buzz and lots of energy, and then an even greater crash. That seems to be what happens every time an article like this comes out.

I have my own analogy, and I must pay tribute to an old confidant since my early years, Col R. B. Thieme. Regrettably one of my longest known advisers is succumbing to Alzheimer’s disease at nearly 90 years old, so it seems fitting that I should borrow from such a person. The Charge of the Mosquitoes: while one is not enough to get you, over time they eventually overwhelm you. This is what I fear such articles are doing to the state of industrial cyber security. While there may be some short lived awareness benefit, the greater fear to me is that we are desensitizing ourselves to the issue. In absence of PUBLIC events, every time something like this comes out, and we still have not seen an incident, people believe less and less, to the jeopardy of the whole issue. It’s what I and many others call the “September 10th” syndrome… the fact that few would have imagined the possibility of 9/11 until it happened.

This is a product of human psychology, known as “Cognitive Dissonance Bias” in which our brains tend to automatically reject possible outcomes based upon biases formed by our own experiential base. It is especially powerful with NEGATIVE analysis. For example: Go to a gem field…Turn over five rocks and find five gems, you will likely think you are very “lucky” but not tend to believe that it will happen under any of the next five rocks. On the other hand, turn over five rocks and find no gems, you will likely conclude that you will not find any gems at all. The problem is that this has absolutely nothing to do whether or not there are any gems under any other rocks… Absence of previous data is no indicator of future absence as well, as in security. Just because there is no evidence of past events doesn’t mean it won’t ever happen. Quite likely the opposite is true, but own cognitive dissonance bias drives us to believe that nothing will happen. Yes I know this is a simplification, but the intent of this article isn’t to go through the various ways that people’s minds can be persuaded to perceive success versus failure.

Hearing things like these inflammatory articles only helps to encourage the process. It makes people reach conclusions of “this can’t happen to us” even more quickly by steeling their minds over time, to the point that eventually they will discount it completely. I’m reminded of a story of an old mountain man near Mt St Helens before it blew. Geologists and experts warned everyone to leave, but he was actually interviewed as saying that because nothing had ever happened in all his years, nothing was going to happen. Apparently he never learned that geology doesn’t change on the scale of human lives. Talk about a misstep, he is among those never accounted for. While awareness is good, FUD and inflammatory articles are not, it is making the challenge of implementing cyber security even more difficult. In Part 2 of this article, I intend to address some ways I think we need to change the message.