What We Have Here Is a Failure to Communicate

Nancy Bartels of Control magazine and ControlGlobal.com hijacking Joe's blog here. This story would be funny if it wasn't so scary. Wired magazine has broken the real story (or the latest iteration of the real story). The link is here. So it wasn't evil hackers from Russia after all. From the sound of it, more like a Keystone Cops fire drill. Nobody checked with anybody. Lots of people assumed things they shouldn't have assumed, and now it's somebody else's fault and we're into a finger-pointing marathon.

I would have thought the next step for DHS and the Illinois Statewide Terrorism and Intelligence Center, would be to figure out how -- ahem -- mistakes were made. It would be nice to think they were working on making sure such errors never occur again and that when alerts are issued, they're accurate.

Silly me.

What is DHS and ISTIC worried about? Who spilled the beans to Joe Weiss. Like finding that out is going to help secure our water system infrastructure.  

It smells to this layperson like the bureaucracy is in full CYA mode. If the public can be distracted from the issue of how DHS and ISTIC fumbled notification so badly, then nobody will be to blame, which is what's really important after all. Meanwhile, one of these days, there's going to be a really serious infrastructure attack, and nobody's going to pay attention because everyone is going to assume that it's another DHS screw-up.

Then heads really are going to have to roll, but by then it will be too late.

 

 

 

 

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Hi Nancy,

    Since Joe disclosed information from an FOUO document on a ControlGlobal blog, I was curious what the company policy was on FOUO or other classified document disclosure on the controlglobal.com site?

    I'm not saying what Joe did was wrong. If he got the document without restriction, meaning he didn't sign anything or verbally agree to not disclose, then he is free to disclose it. At that point it is up to his discretion, and since this is a ControlGlobal blog, ControlGlobal's discretion. 

    In fact, what I disliked was his partial disclosure. Once he decided to disclose the incident and some FOUO information he should have disclosed it all. 

    Dale Peterson

    Digital Bond, Inc. 

    Reply

  • I'm leaving a response to this up to Walt Boyes, our editor in chief, and Joe Weiss. Look for their responses soon. 

    Reply

  • While what Dale suggests is perfectly legal, it is actually counterproductive. Allow me to suggest that if I knew that I was going to have my missteps broadcast for all to see, I wouldn't disclose anything that didn't have a legal reason for being.

    One thing most of you may not see is the sheer number of bored attorneys who will file law suits given the slightest cause. We see these lawsuits even for things like building a tower on property owned by the company. Against a backdrop like that, even if my part of this problem is minimal, I am not going to disclose a single hack or process anomaly unless there is either a legal requirement to do so, or if I am assured that nobody will come knocking. The last thing I need is a bunch of hungry lawyers on a fishing expedition pawing through technologies and practices they have little hope of understanding and then make policy all over me and my company.

    So, were I to disclose this data, I would only do so by redacting a lot of specific data. In fact, Joe didn't even identify which state this was in. Even the original ISTIC report didn't identify anything more specific than the fact that it was a utility in the central part of the state. It was DHS in a later interview, who revealed the specific city where this happened. And since there were few possibilities, it only took a few phone calls to figure out which one it was.

    While I disagree with Joe's release of this data in such a specific manner (he had to know that someone would figure out the location sooner or later), I think it would have been unwise to publish the ISTIC report verbatim. Had he done so, it might be a very long time before anyone bothered to volunteer information to him again.

    Jake Brodsky

    Reply

  • I took a few days to think this through, Dale, because I want to be clear. I gave Joe permission to leak the document, which he did, by reading it to someone. I didn't read it, even though I qualify to, based on my membership in ISA99, regardless of whether I am a journalist or not.

    While there is a long tradition of investigative journalists disclosing sensitive information, neither Joe nor I am looking for a Pulitzer. What we are doing is to try to improve the nation's industrial control security.

    Joe and I have said for years that we believe that a non-governmental CERT for Industrial Control Systems is the only appropriate answer to the tendency of governments to mark everything on their desks secret. The document in question is clearly a grave misuse of the FOUO designation, as is the Aurora document, which, years after leaking to CNN and being on YouTube, is STILL classified FOUO.

    We recognize that in some cases, the United States' national security may be involved. In this case, it clearly was not, and as was revealed later, there appears to have been a huge screw up by the FBI, Illinois officials (ISTIC) and the DHS which was only remedied very late in the game when the responsible party spoke up. As Nancy Bartels noted in a recent post here, it seems that the bureaucracy is in full CYA mode. "If the public can be distracted from the issue of how DHS and ISTIC fumbled notification so badly, then nobody will be to blame, which is what's really important after all." 

    Our policy toward FOUO documents is well thought out. If, in our judgement first as subject matter experts and secondly as journalists, we believe that the document is clearly lying within "the public's right to know" we will disclose whatever part of the document we believe to be salient. Our objective is, as always, to maximize information flow to the people who need to know it, not just those who are permitted to read FOUO documents.

    That's one reason we didn't print the document, and we disclosed only parts of it. We believe that Joe and I functioned as responsible subject matter experts, as well as knowledgeable journalists. We did our jobs.

    Joe's continuing point about poor channels for disclosure is what is operative here, not whether we disclosed an FOUO document or not.

    Reply

RSS feed for comments on this page | RSS feed for all comments