Ira Winkler: Press falls short in reporting on chip hack
When researchers uncovered a back door in a MILSPEC chip, the reports all seemed to imply that it was no big deal
Computerworld - I'm a writer, not a reporter, but like many consumers of news reporting, I sometimes think reporters take the easy way out. They report on someone saying or doing something controversial, then they find one person who will say that what that person said or did was wrong. End of story, so to speak.
This follows the "there are two sides to every story" theory of news reporting; once you've reported the point and counterpoint, there's nothing else to say, right?
But truth and reality -- those things that reporters presumably should be trying to reveal -- are often more complicated than that. And I often see how inadequate this approach can be when I'm reading about something that I know a good deal about.
Case in point: Researchers from the University of Cambridge revealed that there were back doors in military-grade chips and suggested that China was behind their installation. In story after story in the computer press, I read that information, followed by quotes from the Errata Security blog of Robert David Graham, who argued that there was no evidence China was involved and that it was unlikely that there was any malicious intent behind the installation of the back door. And that was all; no quotes from any other experts.
That bothers me, because I know they could have found plenty of people with solid credentials to refute what Graham had to say. They could have asked anyone familiar with national cybersecurity matters, people like former White House adviser Richard Clarke and former top cyber cop for the FBI, Shawn Henry. Both have been vocal about the cyber-espionage threat that the U.S. and U.S. companies face from China and other nation-states.
And it especially bothers me because this is the computer press we're talking about. When a vulnerability like the one described by the Cambridge researchers is downplayed in the computer press, there can be repercussions. Security managers in major companies know firsthand that they are being breached by China on an ongoing basis. They ask for budgetary resources to deal with such threats. Then along comes a story about researchers verifying that chips from China do indeed have a major vulnerability. To me, that should be the story. No one is disputing that the vulnerability exists. It was uncovered by researchers with very limited resources. That suggests that, even if China didn't install the back door, a nation-state, backed by tremendous resources, certainly could have found this vulnerability before now and could be exploiting it. But the news stories do not make that point; instead, they quote someone who says, in effect, this is nothing to take seriously; we've seen it all before; it's no big deal.
More by Ira Winkler
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts