The Return of the FUD Monster

I eagerly tuned in for the television program 60 Minutes in March when they advertised a segment titled “The Internet is Infected,” hosted by broadcast journalist Lesley Stahl. The segment began with her interview of a vice president with technology company Symantec — giving an overview of recent cyber-threats and demonstrating some data capture techniques used by digital thieves. It was informative if rather dull. Let’s face it, having an uber-geek computer whiz pointing out activities on a scrolling computer screen doesn’t exactly provide riveting television drama. It soon became obvious the producers of the segment knew this as well.

Stahl next introduced a young security researcher from a company that provides managed internet security services. Apparently, security researcher is a nebulous title, so Stahl suggested to the interviewee that he was a “hacker tracker.” I am not sure if she thought up this alliterative appellation on the spot or had prepared to use it, but the interviewee happily acceded. I remember commenting to my wife at this point on his clean cut youthfulness.

During this part of the segment, the young man spoke of dastardly Russian hackers bent on stealing identities and purloining the financial assets of the viewing audience. To boost his argument, he produced a picture of some of these evil Russian hackers. It showed a group of young people standing outside a building. It was obviously chilly there in Russia as they all wore coats. He pointed out one of the taller kids and explained to Stahl that he was a Russian youth not yet old enough to drive, but having the nom de guerre in cyberspace as “Tempest.” He was identified by this ersatz security expert as a ring leader among Russian cyber-criminals.

The final part of the segment featured an interview with an average Jane Sixpack who claimed to have been robbed by cyber-thieves. She explained that her online bank account had been compromised, and she personally witnessed the decrement in real-time while she was online with her bank. She had called the bank. Bank security personnel identified the vulnerability, fixed it, and returned her money within hours.

You could easily see the format the producers wanted to use for this segment. The technology guru starts the show explaining how the technology exploits work, the “hacker tracker” then explains the source of these attacks complete with pictorial “evidence,” and the finale shows how this all can impact John and Jane Viewer. Unfortunately, some of it simply wasn’t accurate.

Within hours of the broadcast, the headmaster of a Finnish school in a town called Taivalkoski confirmed that the picture of the youthful “Russian hackers” was in fact taken on his school’s grounds about five years ago. He identified the children in the picture. One youngster in the photo is wearing a jacket emblazoned with Finland’s coat of arms, and another is wearing a hat with the logo of a Finnish brewer. How this innocent group of Finnish schoolchildren were identified as insidious Russian cyber-criminals has yet to be explained, either by the security expert who provided the picture, or by the 60 Minutes producers who put it on television. In fairness to 60 Minutes, Stahl provided a quick on-air “correction” the following week.

Aside from sloppy or non-existent fact checking by the show’s producers, The “hacker tracker” is most likely hiding under his desk. That is, if he is still employed. As I write this, he has yet to explain the identity confusion or apologize for the disinformation. I am sure the producers of the segment had a follow-up call with him.

The lady who had her account compromised did not seem clear on how this theft actually occurred. It may or may not have been using the technology shown in the first part of the program, and it may or may not have been Russian cyber-criminals. In fact, she was never at risk as long as she kept an eye on her accounts. As would be the case if a bank robber physically held up a bank and took “her” money, she was protected by the bank’s security program and the bank’s insurance covered her losses.

We security practitioners recognize this approach to discussing cyber-risk as FUD — senselessly spreading fear, uncertainty and doubt. Aside from the factual presentation of vulnerabilities and exploits, the what-does-this-mean-to-me aspects of the presentation left much to be desired. But why let facts get in the way of a good scare?

Cyber-security is simply not good television drama. It never has been. Even movies using cyber-security as a sub-plot feature car chases and gun battles. As professionals, we need to call out the FUD for what it is, and present informed and accurate analyses of the threats to and vulnerabilities inherent in our critical information and technology infrastructure.

That takes critical thinking and empirical analysis. Help defeat senseless fear-mongering, and drive back the FUD monster wherever you find him.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: