This should be security professionals’ moment, but we don’t seem capable of enjoying it.
For years we’ve wanted people to listen to us and to give cybersecurity the attention it deserves. We’ve screamed that cybersecurity failures can have real-world consequences. We were ignored when we called out the U.S. government for inadequate security after Russia hacked the Pentagon, the State Department and the White House.
Now that Russian hackers had a hand in the U.S. presidential election, though, the world is ready to listen to us. And what they’re getting is an earful as we mock each other, confusing everyone in the process by acting as if Russia never hacked a thing in the past, never used disinformation as a top strategy, and is just an innocent victim of politics.
We have security professionals questioning the findings of the top commercial organizations in the field, all of which agree with the conclusion that Russia hacked the political organizations and people in question. The entire U.S. intelligence community, the Senate leadership and Speaker of the House Paul Ryan go even further in concluding that Russia did this to try to influence the outcome of the election in favor of Donald Trump. The critics say they want to see proof. But security professionals have always understood that not everything in these situations can be released. We have always trusted our peers and the experts in the field who work the problem 24/7 to do what needs to be done.
That’s why security professionals didn’t second-guess those earlier reports about Russian hacking and never challenged the 2009 Wall Street Journal article about Russia, China and others hacking the power grid. We didn’t question the reports from SecureWorks, Mandiant, Fidelis (IBM) and CrowdStrike, which have hundreds of years of combined experience in tracking, investigating and responding to advanced attacks from nation-states against governments and other organizations.
Now, though, there are doubts aplenty. Doubts themselves aren’t a problem; good security professionals should always cast a dubious eye toward reports and findings. But they also need to recognize when misgivings are misplaced. In the case of Russian intrusion into the election, no organization that actually investigated the hacks has dissented from the opinion that Russia was involved, and there is even bipartisan consensus on that in the political realm. It’s worth noting, since intelligence failures ahead of the Iraq invasion have been mentioned, that on the question of Iraq’s possession of weapons of mass destruction, there were many dissenting opinions — and unlike in this case, they were from people with firsthand knowledge.
Look, for example, at the efforts to discredit the analysis of CrowdStrike concerning the hack of the Democratic National Committee. Some security professionals are saying, “Anyone could have found and used the malware.” But if they read the report from CrowdStrike, they would see that there were significantly more indicators than a single piece of malware. Very thorough analysis was performed.
Sign up for CIO Asia eNewsletters.