FireEye chief executive Kevin Mandia told a forum — organised by Scoop News Group, the parent organisation of Cyberscoop — that certain features within the malware produced by nation states indicated the country that was involved.
He was quoted as saying: “We find malware that sometimes has a time to live and then it doesn’t run anymore. I wonder who would do that. Probably [the US] because we’re the nicest hackers in cyberspace, besides maybe China.”
Cyberscoop had a chance to quiz Mandia about these remarks because its report, written by staffer Zaid Shoorbajee, mentioned that he had spoken to Mandia after the speech. But Mandia's views went unchallenged.
Other security companies do not follow this procedure as is evident from the tweet below.
If Dragos finds threats in ICS networks, no matter who we think it is, no one gets a heads up. I.e. there are no “friendly” nations when it comes to targeting civilian infrastructure. They all shouldn’t be there. Luckily we don’t do attribution either so - all just threats to us.— Dragos, Inc. (@DragosInc) 1 June 2018
That such propaganda has gone unchallenged is perhaps because these forums are part of the business model of the Scoop News Group, which advertises its events as "Five hundred billion dollars of direct IT influence are in this room", adding that 70% of the attendees are from the government and that it has so far secured 3000 VIP speakers for its events.
Scoop News Group also makes money from what it calls disruptive studies, thought leadership articles, tech briefs and multimedia campaigns. How these activities can co-exist side-by-side with forthright journalism is puzzling.
One Cyberscoop reporter Chris Bing tweeted out a link to the article on Mandia's remarks, adding: "To be clear: the story says that there's a heads up before the publication of public intel reports (think APT 1 report). When encountering *suspected* Five Eyes malware they detect/stop. Redline is around public disclosure. And even then, it's pretty tough to attribute anyways."
The article mentioned the disclosure of the Slingshot malware at Kaspersky Lab's Security Analyst Summit in March. A Cyberscoop report later cited unnamed intelligence sources as claiming that Slingshot was US-crafted malware and aimed at what the source said were terrorists.
To be clear: the story says that there's a heads up before the publication of public intel reports (think APT 1 report). When encountering *suspected* Five Eyes malware they detect/stop. Redline is around public disclosure. And even then, it's pretty tough to attribute anyways— Chris Bing (@Bing_Chris) 1 June 2018
When Ryan Naraine, a former reporter at ZDNet and also a former Kaspersky Lab employee, asked Bing whether he saw anything "marginally problematic with this approach", Bing quickly went on the defensive.
After clarifying that Naraine was asking for his opinion, Bing tweeted out a sanctimonious reply: "My job is to break news and accurately report things with the help of my editorial team. It's not to have opinions. What I can say is that I am driven to report on important subjects in this space, regardless of who is involved."
To which former Wired reporter Kim Zetter responded: "You want to have stories that are balanced, but that doesn't mean the reporter doesn't have opinions. Like it or not, reporters/editors express their opinions in the headlines they choose, their choice of quotes and the context they do or don't include in stories."
Bing's views were endorsed by his current colleague, Shaun Waterman, who responded to Zetter: "Up to a point. A wise old bird at the BBC once told me: 'Shaun, the listeners don't care what you think. they care what you KNOW.' It's knowledge, not opinion, that makes a great journalist."
As a government broadcaster, it is obvious the BBC would have a different perspective on opinion. The government-funded ABC in Australia has a similar stand on opinion as the Beeb.
It is ludicrous to think that malware, no matter who propagates it, can act "nice" towards some part of the population and viciously towards others. It is a danger to all and sundry. Lower down in the article about Mandia, Cyberscoop very briefly mentioned that other unnamed experts claimed the US was as unruly and wild as far as its malware was concerned, with the case of Stuxnet cited as an example.
There are numerous security companies in the US that seem to tailor what they publish towards the needs of government. One of these companies, Recorded Future, put out research just before the summit of the Koreas, about North Korean activities in cyber space.
A second report, issued just before US President Donald Trump was due to pronounce on the Iran nuclear deal — he cancelled it — claimed that Iran would retaliate by stepping up its online attacks. Nothing of the sort has happened.
Both the North Korean attack report and the Iran one were sent to iTWire prior to publication; we ran the former but then I thought the second one looked just too much of a coincidence. So I held off.
Another case of a security company trying to push a line came to the fore last year when a Washington-based company InGuardians slipped a report to former Washington Post employee Brian Krebs, containing claims about the identity of the person behind the leak of NSA exploits by the Shadow Brokers.
Krebs ran the story in great detail and then suddenly took it down. He mentioned the takedown at the very end of a story he wrote about the arrest of a Vietnamese American who had pleaded guilty to taking masses of NSA material home. Comments were not allowed on this article, presumably to avoid criticism of his earlier claim.
When iTWire quizzed Krebs as to the reasons for his taking down the article, he did not provide a reply, indulging instead in personal slurs. Krebs' agenda in writing up the InGuardians "research" was questioned by well-known security blogger Marcy Wheeler.
It is perfectly fine for publications to report claims made by public figures, no matter where, when and on any topic. But it is also the duty of said publications to offer a perspective that perhaps such claims could be overblown. A hands-off attitude is what led to one of the great recent disasters in US foreign policy: the invasion of Iraq in 2003.
In the case of Mandia and Cyberscoop, the journalistic side of operations appears to have been somewhat compromised by the fact that the FireEye chief made his remarks at a forum organised by the owner of Cyberscoop.
One of the top investigative reporters in the US, Seymour Hersh, has just released a memoir titled Reporter. Therein, according to a review by Rolling Stone's Matt Taibbi, he tells the tale of how the CIA tried to feed him information about Jonathan Pollard, who was caught spying for Israel.
At a time when then US president Bill Clinton was rumoured to be preparing a pardon for Pollard, Hersh was invited to the CIA and shown masses of intelligence that Pollard had sold to Israel. Doubtless, the CIA spooks wanted Hersh to write about it and make the case for not issuing a pardon to Pollard.
Though the story would have been a major one, Hersh was not comfortable with being fed information this way. "I was very ambivalent about being in the unfamiliar position of carrying water for the American intelligence community," he writes. "I, who had worked so hard in my career to learn the secrets, had been handed the secrets."
Taibbi commented: "This offhand line explains a lot about what has made Hersh completely embody what it means to be a reporter. The great test is being able to get information powerful people don't want you to have. A journalist who is handed something, even a very sensational something, should feel nervous, sick, ambivalent. Hersh never stopped feeling that way, remaining an iconoclast and a thorn in the side of officialdom to this day."
One can't help feeling that there's a lesson somewhere in there for people who report whatever officialdom tells them without stopping to question the claims being pushed.
Many journalists like to be well-known, and forget completely that they are part of the fourth estate, not some arm of industry meant to support national governments. As I've written before, it's best to remember that we are just filling up the spaces between the advertisements and therefore it is advisable to disabuse ourselves of any sense that we are the story. A journalist is an outsider, not an insider. That's a tough path to hoe. But it means the difference between a journalist and a stenographer.