Some notes for journalists about cybersecurity

The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism.

Journalism is about telling the truth, not a close approximation of the truth,  but the true truth. They don’t do a good job at this in cybersecurity.

Take, for example, a recent incident where the Associated Press fired a reporter for photoshopping his shadow out of a photo. The AP took a scorched-earth approach, not simply firing the photographer, but removing all his photographs from their library.

That’s because there is a difference between truth and near truth.

Now consider Bloomberg’s story, such as a photograph of a tiny chip. Is that a photograph of the actual chip the Chinese inserted into the motherboard? Or is it another chip, representing the size of the real chip? Is it truth or near truth?

Or consider the technical details in Bloomberg’s story. They are garbled, as this discussion shows. Something like what Bloomberg describes is certainly plausible, something exactly what Bloomberg describes is impossible. Again there is the question of truth vs. near truth.

There are other near truths involved. For example, we know that supply chains often replace high-quality expensive components with cheaper, lower-quality knockoffs. It’s perfectly plausible that some of the incidents Bloomberg describes is that known issue, which they are then hyping as being hacker chips. This demonstrates how truth and near truth can be quite far apart, telling very different stories.

Another example is a NYTimes story about a terrorist’s use of encryption. As I’ve discussed before, the story has numerous “near truth” errors. The NYTimes story is based upon a transcript of an interrogation of the hacker. The French newspaper Le Monde published excerpts from that interrogation, with details that differ slightly from the NYTimes article.

One the justifications journalists use is that near truth is easier for their readers to understand. First of all, that’s not justification for false hoods. If the words mean something else, then it’s false. It doesn’t matter if its simpler. Secondly, I’m not sure they actually are easier to understand. It’s still techy gobbledygook. In the Bloomberg article, if I as an expert can’t figure out what actually happened, then I know that the average reader can’t, either, no matter how much you’ve “simplified” the language.

Stories can solve this by both giving the actual technical terms that experts can understand, then explain them. Yes, it eats up space, but if you care about the truth, it’s necessary.

In groundbreaking stories like Bloomberg’s, the length is already enough that the average reader won’t slog through it. Instead, it becomes a seed for lots of other coverage that explains the story. In such cases, you want to get the techy details, the actual truth, correct, so that we experts can stand behind the story and explain it. Otherwise, going for the simpler near truth means that all us experts simply question the veracity of the story.

The companies mentioned in the Bloomberg story have called it an outright lie. However, the techniques roughly are plausible. I have no trouble believing something like that has happened at some point, that an intelligence organization subverted chips to hack BMC controllers in servers destined for specific customers. I’m sure our own government has done this at least once, as Snowden leaked documents imply. However, that doesn’t mean the Bloomberg story is truthful. We know they have smudged details. We know they’ve hyped details, like the smallness of the chips involved.

This is why I trust the high-tech industry press so much more than the mainstream press. Despite priding itself as the “newspaper of record”, on these technical issues the NYTimes is anything but. It’s the techy sites like Ars Technica and sometimes Wired that become the “paper of record” on things cyber. I mention this because David Sanger gets all the credit for Stuxnet reporting when he’s done a horrible job, while numerous techy sites have done the actual work figuring out what went on.

*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: