Cybersecurity expert argues FUD can be effective

Sharon Nelson thinks a certain amount of Fear, Uncertainty and Doubt (FUD) is a good thing.

Nelson, an attorney and president of the information security, digital forensics and IT consulting firmÃ'Â Sensei Enterprises, knows she is taking something of a contrarian view. Most objective experts in the information security world view FUD as essentially part of a sales pitch: Scare the IT manager enough and they'll buy your security product.

They also tend to dismiss it as exaggeration in the analysis of recent revelations that the U.S. was behind not only the Stuxnet worm used to attack the Iranian nuclear program, but also the Flame espionage malware.

[Bill Brenner in Salted Hash:Ã'Â Flame: The importance vs. the hype]

Most security experts agree that cyberattacks are a major, costly problem, both for industry and government. But they say it is going overboard to call it a war. As Bruce Schneier, chief security technology officer at BT and author told CSOÃ'Â last week, "Throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."

But Nelson doesn't shy away from the term "cyberwarfare" or from FUD. On Sensei's Ride The Lightning blog, she contends, "The line between cyberwarfare and the real thing is a fine one -- one our enemies may not appreciate."

Nelson told CSO: "You can accomplish some of the same kinds of things in a cyberattack that you can in a conventional war -- you can take out water plants, transportation systems, communications."

She said it is silly to argue, as some have, that the U.S. won't be the target of a major attack because other nation's still fear U.S. military power. "A lot of folks are prone to retaliate against the U.S.," Nelson said. "The Iranians are obviously furious with us. And there are lunatics, madmen and terrorists in the world -- what do they care about our military capability?"

So, what is the value of FUD fit in all that? If people are fearful and uncertain, what will that accomplish, other than a possible overreaction from panic?

Nelson said she does not advocate sowing panic. But she believes FUD -- especially doubt -- "may make people question things."

"You have to second guess," Nelson said. "None of us believes that what we hear on TV is reality any more than reality show. If [people are concerned], then more questions will be asked, more investigations will be done."

She noted the vulnerabilities of U.S. systems, both private and public. "It wouldn't take a hell of a lot to do damage. Our SCADA (supervisory control and data acquisition) systems have been penetrated before."

And she cited a report last week in Business Insider, citing current and former intelligence sources, that said China has a "covert capability to remotely access communications technology sold to the United States and other Western countries and could 'disable a country's telecommunications infrastructure before a military engagement.'"

"We spent billions buying telecom equipment from them, and they can pull the plug anytime they want," Nelson said.

In her blog post, she argued: "I doubt that we know a fraction of what is really going on and I doubt if the politicians or military will tell us the truth. They never have before -- why now?"

Nelson said her biggest concern is that nobody yet understands the long-term consequences of cyber conflict. "When the atomic bomb was was developed, only a few people saw the long-term consequences. This is really no different. We don't have a handle on it," she said.

The revelations about Stuxnet and Flame have left the U.S. "with a target on [its] forehead," she said. "It's realistic to think that the U.S. and China are going to go head-to-head at some point. The battleground will be in the electronic world, and I'm concerned that we may not be able to win -- the Chinese are very, very good."

She wrote in her blog post: "We have a pretty good system for protecting us from lunatics setting off nuclear weapons -- I fear our oversight of cyberwarfare is not nearly as sophisticated."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place