Who are these people who think cybersecurity experts are crying wolf?

Some dismiss calls to action as hype to sell security technology

It happened again Monday that a news report about the threat of cyberattacks was greeted with skepticism. It’s happened in the wake of some of my previous posts on the subject that commentors said the security experts warning of the threat are only scaring people in order to sell their security products and consulting services. I’m not sure we can put their warnings in the same category as burglar alarm companies showing burglars breaking into your house in their TV ads.

The report Monday was on Information Week Government’s site. The byline caught my eye as that of Elizabeth Montalbano, a onetime colleague at IDG News Service, the “wire service” for Network World and other IDG publications.

Montalbano reported on the remarks of Mark Bregman, chief technology officer of security company Symantec, who spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. Given that NASA has worked with other nations on space flights, such as Russia, France and others, they could also work to collaborate to keep computer networks secure.

“There's an urgent need for diplomacy to kick start international cooperation on cybersecurity," Bregman said.

The comments that followed Montalbano’s story suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.

These reactions are similar to ones that followed a report I wrote in March about a panel discussion at RSA Conference 2010 about the possibility of the cyberattack equivalent of Pearl Harbor. The reactions included this: “A cyber ‘Pearl Harbor?’ Sounds like the security industry is using hyperbole to try to get some government ‘attention’ (read: public funds),” wrote one reader. To be sure, the preponderance of comments supported the notion that the computer network needs to be better secured.

I find it puzzling that what you might call “cyberthreat deniers” are downplaying the threats by portraying the people making the warnings as compromised by their financial interests. What comes to mind for me is the post-9/11 adage about guarding against the next terrorist attack: The CIA has to get it right 100 percent of the time, but the terrorists only have to get it right once.

Bregman’s comments at the NASA forum mirror those of one of the panelists at the RSA panel I covered. Bregman said cooperation between the U.S. and foreign governments on cybersecurity is “sorely lacking.” Likewise, at RSA, Richard Clarke, a partner in Good Harbor Consulting and former security adviser to both presidents Bush and to President Clinton, called for global collaboration. "You could have an international treaty that puts an obligation on every country to police its own cyberspace," Clarke said. "We talk to Russia and China about lots of things ... but we don't ever make this a big issue.”

The written record is full of examples of significant security breaches that have happened around the world that maybe didn’t blow up the Internet entirely, but are rightly cause for concern. Earlier this month, Microsoft issued a rare “out-of-band” security warning about a vulnerability discovered in multiple versions of Windows, including fully-patched Windows 7. Nothing catastrophic happened that we know of, but it is the equivalent of the authorities disrupting a potential terrorist plot before they can strike.

In Clarke’s new book, “Cyber War: The Next Threat to National Security and What to Do About It,” co-written with Robert Knake (yes, you have to give them money in order to read it), he describes how in Russia’s 2008 invasion of former Soviet-controlled Georgia, the Russians jammed Georgia’s Internet connections. In 2007, Israel reportedly disrupted Syria’s air defenses electronically prior to an attack on a suspected nuclear facility. In his RSA remarks, Clarke also noted how U.S. electric power grids had been dotted with “logic bombs,” small bits of software that could have been used to execute an attack.

To be sure, the financial interests of those warning about cybersecurity vulnerability should be disclosed, but their warnings shouldn’t be dismissed either. Just because you can still download movies from Netflix or update your Facebook status doesn’t mean everything’s fine.

On the other hand, maybe I’m just writing this to get page views to our site and make money for us.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.