October 15, 2019

"Information Sharing" Should Include the Public

The FBI recently issued a warning to U.S. businesses about the possibility of foreign-based malware attacks. According to a Reuters story by Jim Finkle:

The five-page, confidential “flash” FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.

“The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods,” the report said.

The document was sent to security staff at some U.S. companies in an email that asked them not to share the information.

The information found its way to the press, as one would expect of widely-shared information that is of public interest.

My question is this: Why didn’t they inform the public?

A great many vulnerable computers exist outside of companies, and those computers need to be protected. And yet some people in government treat public discussion of security risks as being harmful in itself.

Here’s the FBI spokesman, commenting to Reuters:

“The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations,” [FBI spokesman Joshua Campbell] said. “This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

This is good, but why limit it to “private industry”? Why not inform everyone who needs to know?

It’s hard to think of a legitimate reason to keep this information secret. Everybody knows that this malware was used to attack Sony Pictures. And it must be obvious to the attackers that the postmortem at Sony will reveal the workings of the malware to Sony, its consultants, and the U.S. government. These facts are not secrets, let alone secrets that are worth protecting at the cost of putting the public at risk.

The secrecy is probably designed to protect somebody from embarrassment. If that somebody is Sony, it’s not working—the Sony attack is well known at this point. Perhaps the goal is to keep from embarrassing somebody in the government. One effect of the secrecy is to make it harder for citizens to hold the government accountable for the consequences of its cybersecurity policy.

Comments

  1. Adam Shostack says:

    A great set of questions! I think “sharing” has a nice, warm feeling to it which hides the harsh reality that someone is making decisions about who is informed and who is in the dark. I’ve tried framing this as “publication” versus “sharing”, for example in this blog post http://newschoolsecurity.com/2012/08/dont-share-publish/