When is a number not a number? When it’s a placeholder. When it’s zero. Zero being precisely the number of recorded instances of harm befalling a human as a result of actual real world exploitation of the Heartbleed vulnerability.
Heartbleed was a vulnerability. Not a risk. As professionals, we know that risk is a function of an indivisible compound of vulnerability with threat. We further know that threat itself is a function of a further indivisible compound of an attacker with both the capability and the intent to act on their nefarious desires. A vulnerability in the absence of threat is not a risk. Prior to the media storm visited needlessly upon the world, few if any, including the threat actors, even knew of its existence.
Heartbleed was real. A serious vulnerability to an important web service. Limited exploitation of the vulnerability had the potential to enable wrong doers with sufficient intent and capability to do harm to individuals. Unchecked exploitation would certainly have temporarily have dented trust in the Internet. Prolonged or massive financial loss as a result of significant exploitation could have had serious macro-economic or social consequences and might even have damaged public trust and confidence in the advice of IT and cyber security experts. It demanded a serious, thoughtful, considered, measured, balanced, co-ordinated, proportionate and professional response from these experts. Which is precisely the opposite of what happened.
We, the community of IT and cyber security experts turned the volume up to eleven on this one. Us, not the bad guys. As experts, we competed to command ever more extravagant hyperbole. In concert, we declared this “catastrophic”. In a post Snowden world it was inevitable that the dark ink of conspiracy theory would cloud the story as fast as the Internet could carry it. And yet, nothing bad actually happened. We rushed to spread fear, uncertainty and doubt in knowing defiance of the available evidence. Perhaps because of the absence of evidence.
We did succeed in scoring two own goals. Firstly, we needlessly spread fear, uncertainty and doubt. Arguably far more effectively than anyone other than the most sophisticated attacker could have done. Secondly, we gave further credence to the growing sense that this is all we can do. There is a view, dangerous and mistaken but nonetheless credible and growing, that we turn the volume up to eleven to crowd out the silence of our own ignorance and incompetence.
Molly Wood writing about Heartbleed in the business section of the “New York Times” on 14th April 2014 observed with regret that “what consumers should do to protect their own information isn’t … clear, because security experts have offered conflicting advice”. Adding that, despite the hype, “there is no evidence it has been used to steal personal information.” We undermined public trust and confidence in the Internet; and in ourselves.
What we do is important because the systems we are responsible for securing and managing are important. They are the beating heart of the Internet and this is the nervous system of the cyber phenomenon. The Internet alone is of societal, if not existential, importance. Cyber is transformative. Without us, or at least without some of us, the world would be less safe and less secure than it is. However, it needs to be safer and more secure than it is. More of us need to do a better job.
The net effect of Heartbleed, the real catastrophe, has been yet another self-inflicted wound to the already badly damaged credibility of the community of security experts. We cannot sustain many more of these injuries before the credibility of our community as a whole falls victim to our seemingly suicidal instincts.
If we want to be taken seriously and treated as professionals, it’s time we started to behave like professionals. We need to stop crying wolf and start giving answers to the difficult questions we have been avoiding for far too long. How do we actively enable cyber democracy?
It is now time to start the process of moving towards the creation of a professional governance body with the same kind of power and status as, for instance, the Law Society or the General Medical Council. Embracing willingly and freely all of the consequences around regulation, licensing and liability that this will bring. Time to stop crying cyber wolf. Time for the snake oil merchants to find another Wild West.
CyberTalk #5 Colin Williams