Why I have resigned from the SANS NewsBites editorial board

Yesterday's posting of SANS NewsBites included editorial content that was added after the issue had gone through its editorial process. That's a fairly normal occurrence and it's certainly SANS' privilege to add whatever it deems appropriate to its newsletter. Here's the problem: computer security reporting inherently misrepresents its topic if it relies on unattributed claims. Reporting is making statements of fact. Editorial is offering one's opinions and analysis regarding those facts. Accepting "So-and-so-said that someone else said" and reporting it as fact is not merely sloppy journalism, it's placing the journalist in a position of becoming a conduit for inaccurate information - whether the inaccuracy is accidental or deliberate:

 The managing partner of a large New York law firm had a visit from the 
 FBI in which he learned that the files of every one of his firm's 
 clients had been copied from the law firm's servers and placed on 
 servers in Asia known to be used as transfer points in APT attacks (APT 
 translates loosely to Chinese, he learned). Nine days later, he and 
 another partner from his firm came to my house on a Sunday morning for 
 a conversation. 

In my comments on various issues of NewsBites I have consistently asked SANS and my fellow editorial board members to hold a hard line regarding statements of fact backed by evidence and to clearly describe hearsay as such. In the past decade (or whatever it's been) on NewsBites' editorial board, I have been careful to consistently argue that the word "alleged" be inserted where appropriate, and that "anonymous hackers say" reports be treated as not credible - or labelled as rumor or hearsay. It's important to get this right, because computer security has, unfortunately, now become a potential source of acts of war against states, a new "battlefield", and a politically sensitive target. Consequently, it is more important that we are careful with our words and extremely judicious with how and when we point the finger of blame. We in the computer security field need to grow up, and we need to grow up very, very quickly because we are being pushed into the cross-hairs of potentially life-threatening political and economic debacles. That means those of us who are responsible for reporting news of computer security, or providing editorial opinions, must be extra careful to avoid destroying our ability to communicate to our peers by showing that we have sacrificed our credibility and our objectivity.

Many of us in the computer security field have been involved in forensic response or have served as expert witnesses in legal proceedings. We understand that evidence is something you gather, analyze, preserve, and explain. None of us who have ever tried to serve the rule of law have had the luxury of being so sloppy as to tell the victim of an attack about something so significant and damaging - involving client data - and what might be a conspiracy, without being willing to back it up with solid evidence that would give the victim and their legal counsel the basis for making an informed decision. It strikes me as inappropriate (not to say bizzare) that the FBI - a government agency that is part of The Department of Justice - which understands how to collect evidence, make its case, and prove its point - has been resorting to selectively leaking information about ongoing investigations including accusations of guilt. It is especially troubling when those accusations involve serious claims against a sovereign power. I am quite sure that my peers in the security community would be as happy as I am to examine and understand the evidence on which these accusations are based; but the correct place to present that evidence to be presented and weighed is openly in court - not through manipulating public opinion, leaks, or hearsay. In the past, I have complained whenever NewsBites has published hearsay on this topic. At this point I think it's pretty clear that my opinion is not valued, so it's time for me to go.

In the past decades, we have seen how the rush to war can be encouraged by yellow journalism, false reporting, and media manipulation. As members of the security community, who are concerned the safety of our consistents, our role is defensive. Our concern is the innocent. We are protectors, whether the "target" is our own civilians or another country's.

Bellwether Farm, March 10, 2012