It was a beautiful fall day, and even the trip around the infamous DC Beltway felt like a vacation from the confines of the office. I was headed for the University of Maryland —a campus I remember well from my doctoral studies just over a decade ago. The conference center I sought is situated in a pastoral area on a rolling hill near the president's Georgian residence.
I had arrived early for my scheduled presentation. Not only would I be able to enjoy the complimentary lunch, I would also be able to catch the much-hyped luncheon speaker, an experienced private-sector leader of a cyber security research organization. He was slated to speak on recent Congressional testimony regarding potential nation-state-supported cyber espionage targeting sensitive U.S. government computer systems.
Having spoken on similar topics over the years, I was eager to hear how this savvy practitioner and researcher would frame the information and what analysis he would derive for the audience. Looking around the standing-room-only hall with expectant conference attendees at tightly-packed lunch tables, I envied his venue.
My colleague opened his presentation with a vaguely threatening and ominous tone. He stated that the entire information security dialogue in the government has been changed forever. He alluded to a dramatic shift of perception by our elected representatives instigated by an event of seismic import. Since I was well aware of the recent Congressional testimony, I was not surprised when he cited the case of the foreign system crackers, but I was bemused by his application of dramatic poetic license worthy of Edgar Alan Poe.
From there the speaker changed tack several times, first showing a canned set of slides about a completely unrelated attack first employed in 1999, then moving on to offer a pointed critique of existing government security programs. He transitioned to this attack by claiming both government and industry had failed in their security responsibilities. I waited for a qualifier or explanation that never came. He trotted out a list of policy and technology safeguards he denoted as woefully inadequate, including the requirement for certifying and accrediting computer and telecommunications systems to address security-relevant concerns.
As the speaker's pool of security practitioners and policy makers worthy of castigation continued to increase, it dawned on me that this was becoming a sales pitch. Sure enough, he eventually came to the hook. He felt only those experts who had hands-on experience with his attack-and-defend program merited respect. In order to be an effective IT security professional, he stated, you needed to be a trained counter-attack specialist. He went on to claim that our government's one and only research role was to fund programs to continually test perimeter defenses.
I did not have time to talk with my friends in the audience after the presentation, because I had to make my way to the room in which I was to speak. As I walked, I mused about the return of the FUD speech. The acronym stands for fear, uncertainty and doubt. Once that FUD factor is introduced, the speaker, like our luncheon guest, can spend the rest of his or her presentation with dire warnings of future attacks and demands for immediate action.
The presentation I was to give lacked the excitement and drama I had just witnessed. I had been asked by the conference organizers to provide a presentation on the subject of information sharing. This admittedly mundane topic has become a cottage industry around the Beltway in the last two years, with entire conferences and bureaucratic positions being created to address the issue. Information sharing is portrayed as the solution to everything from national intelligence failures to the inability of first responders to communicate quickly and easily. It doesn't rate as highly on the interest scale as foreign bands of hackers, but it certainly is a critical national issue.