Ira Winkler: Press falls short in reporting on chip hack
When researchers uncovered a back door in a MILSPEC chip, the reports all seemed to imply that it was no big deal
Computerworld - I'm a writer, not a reporter, but like many consumers of news reporting, I sometimes think reporters take the easy way out. They report on someone saying or doing something controversial, then they find one person who will say that what that person said or did was wrong. End of story, so to speak.
This follows the "there are two sides to every story" theory of news reporting; once you've reported the point and counterpoint, there's nothing else to say, right?
But truth and reality -- those things that reporters presumably should be trying to reveal -- are often more complicated than that. And I often see how inadequate this approach can be when I'm reading about something that I know a good deal about.
Case in point: Researchers from the University of Cambridge revealed that there were back doors in military-grade chips and suggested that China was behind their installation. In story after story in the computer press, I read that information, followed by quotes from the Errata Security blog of Robert David Graham, who argued that there was no evidence China was involved and that it was unlikely that there was any malicious intent behind the installation of the back door. And that was all; no quotes from any other experts.
That bothers me, because I know they could have found plenty of people with solid credentials to refute what Graham had to say. They could have asked anyone familiar with national cybersecurity matters, people like former White House adviser Richard Clarke and former top cyber cop for the FBI, Shawn Henry. Both have been vocal about the cyber-espionage threat that the U.S. and U.S. companies face from China and other nation-states.
And it especially bothers me because this is the computer press we're talking about. When a vulnerability like the one described by the Cambridge researchers is downplayed in the computer press, there can be repercussions. Security managers in major companies know firsthand that they are being breached by China on an ongoing basis. They ask for budgetary resources to deal with such threats. Then along comes a story about researchers verifying that chips from China do indeed have a major vulnerability. To me, that should be the story. No one is disputing that the vulnerability exists. It was uncovered by researchers with very limited resources. That suggests that, even if China didn't install the back door, a nation-state, backed by tremendous resources, certainly could have found this vulnerability before now and could be exploiting it. But the news stories do not make that point; instead, they quote someone who says, in effect, this is nothing to take seriously; we've seen it all before; it's no big deal.
More by Ira Winkler
- Ira Winkler: My run-in with the Syrian Electronic Army
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts