Note: This blog post was significantly revised on 17 November 2019 after initial release on 12 November 2019. The primary alteration is within the second paragraph, noting that the initial event that inspired this blog post – an exchange between a security researcher/responder and a journalist – was much more nuanced than it originally seemed. To the extent that such items can be stated publicly, they have been addressed below.

A foundational aspect of my (too brief) life as a Cryptologic Officer in the US Navy is the legacy of Captain Joseph Rochefort. In addition to his time at sea, dedication and foresight in building up Naval cryptologic capability, and pivotal role in enabling victory at the Battle of Midway, he is also associated with a quote (very often misattributed) that has always resonated:

“We can accomplish anything provided no one cares who gets the credit.”

Captain Joseph Rochefort, USN

This statement hung on a sign in the dreary basement offices of Station Hypo in Hawaii during the Second World War, and informed the collaborative, ego-less work required for in-depth, mind-numbing decryption work.

Captain Rochefort’s legacy and ethos remains with me, through an especially nasty social media exchange in response to the recent publication of Andy Greenberg’s book, Sandworm. On initial view, the discussion seemed to be a rather classic example of an aggrieved individual lashing out after public reporting of an incident they worked on or contributed to in some fashion, but felt slighted or ignored. This happens wearyingly often within the field, so this exchange seemed as good an opportunity as any to embark on some level of exploration. However, in hindsight from the initial posting on 12 November 2019, it has become clear that circumstances are more complex than they initially seemed (as they often are) – with public vitriol finding fuel in private wrongs. As such, while I won’t remove the link to the above exchange as I think it is still instructive to how not to address certain issues (publicly, angrily, and in 240 character increments), I will gladly make this revision: the aggrieved party almost certainly has a very justified reason for their anger, based on discussion with several sources involving background on which I was previously unaware. For this reason, I apologize to Dave Maynor for my earlier over-simplification of events.

Moving back to the central line of argument, the (rather young) field of information security (even more so within the industrial control space) remains unsettled, rapidly changing, and subject to disruption – which perhaps explains (but does not excuse) the “I did X before X was cool” mentality some within the industry adopt in response to public work, analysis, and exegesis by others. Yet given the supposed focus and purpose of the field, such efforts seem not only misguided and petty, but actively detract from trying to solve the broader problem of security.

Yet, in the past ten years (spanning my current and two previous employers) I’ve observed multiple instances of individuals frothing at the mouth over lack of credit or sufficient deference over identified incidents. While citation and recognition is key (as I’ve argued previously) to make a mature field of study, at the same time any mature field of investigation – from the analytical humanities and especially the sciences – is dependent upon building upon the work, observations, and actions of others to arrive at a coherent understanding of circumstances.

Contrary to the (generally, professionally-required) “standing on the shoulders of giants” nature of many mature fields of study, information security remains in an adolescent (at best) maturity status where we are conditioned to worship heroes (and all to rarely heroines) for their single-handed discovery, resolution, or development of some fantastic idea. While this seems suitable for a field in its infancy, where little or no prior work or discovery exists, I would argue information security has largely escaped this state for at least the last 10 years (roughly my time in the field) and likely for the last 20 – potentially even longer, given the long shadows cast by the likes of Cliff Stoll.

Yet today, a not insignificant amount of information security discussion (such as the Sandworm discussion linked above) centers not on driving research and understanding forward, but rather demonstrating ownership and uniqueness to the detriment of any potential follow-on analysis and understanding. While the information security field is attempting to root out and expunge the phenomenon of “gatekeeping” from hiring and joining the field, extending the same tolerance to research, analysis, and understanding still seems a ways off given so many public discussions of “I saw/did/responded to X first.”

To digress for a moment, the above is NOT in any way a defense or excuse for plagiarism. Usurping or presenting the work of others without even minimal effort for identification and citation is wrong, and will hold this field back for some time as we struggle with the question of “who’s first” over “how can we get this right”. Proper recognition and valuation of those that came before – even if as simple as a label on an image in a PowerPoint or citation of a blog post – can mean worlds to further intellectual exchange and pressing forward in investigation.

Yet while the issue of plagiarism is real, simultaneously the issue of gatekeeping possessiveness is just as real and almost equivalently detrimental. A mindset that finds only those initially responding to or discovering an incident, malware sample, or other observable are qualified (or allowed) to write and comment on it is unnecessarily chilling and robs a nascent intellectual community of significant analytical strength and capability. While some might be of the opinion that only those who directly responded to an event are qualified to comment upon it, we must also realize that much significant work within this field – from Stuxnet (neither Langner Group nor Symantec “responded” to intrusions at Natanz) to Moonlight Maze (extensively analyzed by researchers at Kaspersky with no US government experience) – relied upon individuals external to actual events reviewing, analyzing, and reporting on available data to come up with interesting and informative insights that helped out defenders overall.

While first-hand experience seems most valuable (and would appear to bestow some sense of “ownership” on events), this does and should not mean that others are not allowed to comment upon or review available information to identify additional insights or guidance. Adopting such a viewpoint would willingly place the discipline of information security at a disadvantage relative to adversaries, and make the ultimate goal of the profession – protecting users from intrusions and attacks – more difficult to achieve. Certainly, protecting sensitive sources, victim information, and other items comes into play, but so much sensitivity seems to derive not from the risk of “outing” sensitive information as from covering or otherwise commenting on an idea another feels unrealistic ownership over.

Ultimately, to solve the problem of information security, we as an intellectual (if not social) community need to come to terms with debate, discussion, and critique if only to push analysis and the search for truth forward. Adopting an approach where those seemingly encroaching upon an “owned” topic are subjects for ridicule and abuse will only set us back and make the ultimate goal of the profession that much harder to achieve.


1 Comment

Isabella · 11/24/2019 at 11:00

Demosthenes, commanding the force at Pylos, initially planned to starve the Spartans out rather than attack them, but as time wore on it became clear that the Spartans would be able to hold out for longer than anticipated. By offering freedom to Helots and monetary rewards to free men who would volunteer to carry food across to the island, the Spartans were able to bring in a small but critical stream of food. Some of these men reached the island by approaching from the seaward side at night during rough weather; others swam underwater towing bags of food. The Athenians, meanwhile, found themselves frequently short on rations, and the entire force was forced to depend on a single spring for its fresh water. In these adverse circumstances, the Athenians began to doubt that they could resolve the issue by siege before winter forced them to lift their blockade.

Comments are closed.