Skip to main content

Cranks On Security

Here's my beef: cybersecurity journalists will go to the very bowels of the internet, gather a lot of information about the crime du jour, get criminals to talk to them on the record, explain in excruciating detail how the latest scam/fraud/attack works, get the latest hot goss and internal gang drama, coax cybersecurity researchers into providing expert analysis, and call it a day. Good job!

Obviously, there's very little downside in getting a criminal (allegedly) on the record because "alienating a criminal gang" is not something you should worry about when doing your reporting. Shit, however, gets real when it comes to explaining the reasons behind some of those incidents. It's all nice and good to write 5,000 words about the tools, techniques, methods, profits, and internal organization of, say, AlphV. Also great to have researchers chime in. But... how about trying to figure out how the fuck can a ransomware attack cripple a business so badly that your clients can't, you know, pay rent?

The attack forced the shutdown of parts of the electronic system operated by Change Healthcare, a sizable unit of UnitedHealth Group, leaving hundreds, if not thousands, of providers without the ability to obtain insurance approval for services ranging from a drug prescription to a mastectomy — or to be paid for those services.

Not a single mention of who's responsible for the cybersecurity of those organizations. We know that one of the criminals started complaining that they didn't get their cut, but we don't know who failed at their jobs so fucking much that goddamned treatment of cancer patients could have been jeopardized. I'm not one to victim blame, but this level of disruption caused by a known threat is not normal. What the hell happened? And how does it happen again?

Why isn't the media trying to figure out what went wrong at these organizations? Why aren't reporters trying to speak with the IT and cybersecurity rank and file to try and see if negligence is at play? Why are these media outlets happy with being stenographers to these massive and rich corporations? Who's their fucking CISO? You can figure out the org chart of a criminal gang 6,000 miles away, are you telling me that you can't figure out if shit was so bad at Change Healthcare that something like this was pretty much guaranteed to happen? Give me a fucking break.

What I can surmise here is that a bunch of these cybersecurity journalists are nothing of the sort. They are crime journalists no different from those who write for tabloids that will put a dead body on the front page for shock and awe. It doesn't matter how many Bitcoins the gang got. It does matter that you point out that cryptocurrencies are very convenient for the criminals, and that they should be regulated to hell and back. It doesn't matter if a dude didn't get his cut of the ransom. It does matter that you try and figure out if this could have been prevented by some basic cybersecurity practices. It doesn't fucking matter that "Notchy" claims that the "ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin." It fucking matters to know who's ultimately responsible for the cybersecurity of these companies, and these reporters should not let go until they figure out if someone dropped the ball, and how the fuck do we, as a society, prevent this from happening again. Because from where I'm sitting you're just serving as a biographer for the criminals and doing jack shit to improve things. Instead of chasing quotes from "Notchy", go see if the US Health and Human Services Department has anything to say about making sure this doesn't happen again. Or CISA. Or what representatives Andrew Garbarino and Eric Swalwell of the US House of Representatives' Cybersecurity and Infrastructure Protection Subcommittee have to say. Use the platforms you have to try and make things better instead of being the cybersecurity equivalent of a true crime redditor.