Shostack + Friends Blog Archive


How to be Cyberscary

The intersection of cime and technology is a fascinating place.  Innovation of fraud, theft, and industrial espionage is occurring at a phenomenal pace and is producing no shortage of real problems that Information Risk and Security professionals need to be learning about and addressing.  Unfortunately, the noise coming from journalists in this space is so hyperbolic that it becomes hard for people to take seriously.

In the arms race of cyberscare stories, Journalists have consistently held the upper hand over folks like myself, but no longer.  Foreign Policy has given away some of their key sercrets in 10 easy steps to writing the scariest cyberwarfare article ever:

With daily reports of severe breaches in national cybersecurity and devastating cyber-attacks on government infrastructure, many journalists are in dire need of a manual to enlighten their writing on the subject. Here are my ten(rather cynical) tips to make your cyberwarfare story succeed.

1. You need a catchy title. It pays to cannibalize on some recent tragic event from the real world; adding “cyber” to its name would usually trigger all the right associations. Studies show that references to “digital Pearl Harbor”,”cyber-Katrina”, and “electronic 9/11” are most effective, particularly for stories involving electricity grids or dams. Never make any explicit attempts to explain the bizarre choice of your title– you need to leave enough ambiguity out there for your readers to “connect the dots” themselves. This is a win-win: readers love solving important cyberspy puzzles – and you could get away without doing any analysis of your own. Quoting real facts would spoil the puzzle-solving experience; plus, the fewer facts you quote, the harder it would be to debunk your story!

It’s a great recipe for how to scare people about those scary hackers, both for journalists as well as for many Security Professionals. After all, if you’re looking to justify budget for your next case of silver bullets, it’s not enough to just have problems–things are tough all over, after all. Instead, you’ve got to have Big Problems–werewolves or vampires or some other mythological creature like Russian Mafia Superhackers.

Still, it’s missing a few key points, which I’ll add here so struggling journalists and FUD-based budget defenders can better justify their proposed capex or scare a few more people into buying a copy of the paper so they can read below the fold and thus eke out one more day as an ink-and-pixel-stained wretch.

  1. Never forget that Probable == Possible
    You will never get to be a famous cybersecurity journalist if you talk about what’s likely. If you limit your reporting to only those things which have a reasonable chance of having occurred or actually occurring, your journalism will be drab and uninteresting. Instead, find he most outlandish scenario you can imagine, then describe it with all caveats, useful statistics, or information about compensating controls removed. That simple step will improve both the brevity of your writing and the excitement of your content.The fact that your scenario just became a technical impossibility should never be a problem for you. After all, if you’re writing for a non-technical venue like a newspaper, your employer’s profitability is probably also technically impossible so you’ll be in good company.
  2. Achieve Maximum Impact
    An attack that knocks some servers you’ll never connect to off-line for 20 minutes is Not Interesting. Odds are, your own IT department did more damage than that to systems availability today just trying to get their jobs done.Instead, find a statistic involving a Large Number and supply it (without context, of course) as evidence that this could be The End Of The World. Even better, extrapolate that large number, ideally with the help of one of the experts from Tip #5, to show that this problem is growing like Grey Goo and will, again, be The End Of The World.
  3. Bring it Close To Home
    Just because a few people whose names you can’t pronounce–can’t even guess at since they’re not written using the Latin alphabet–are portscanning and dDOS’ing each other in places you also can’t pronounce whose total Internet backbone is a couple of DS-3’s is no reason not to imply either that they couldn’t bring the fight here (wherever here happens to be for you) and that this is a taste of what’s to come locally. For example, if you’re in the United States or Canada, be sure to mention mafiaboy if it’s a Denial of Service story, demonstrating that this stuff is so easy that even high school kids can do it.

Just as Foreign Policy’s list was incomplete, so is mine.  What are some other techniques that we could be using to ensure that every hiccup in Networks or Information Systems is made as cyberscary as cyberpossible when it shows up in a new story or slide deck?

3 comments on "How to be Cyberscary"

  • Adam says:

    My favorite technique…new names. Like cyberscary. 🙂

  • Dennis says:

    and don’t forget the obligatory “I told you so” quote from Richard Clarke. A must-have.

  • Chris says:

    Once again, “Plan 9 from Outer Space” covered the essential element in the first 5 minutes: “Can you prove it *didn’t* happen?”

    Reworded cyberscarily, this becomes “Elbonian narcocryptocyberterrorists may *already* be sapping and impurifying your electrical grid!”

Comments are closed.