Cyber Security Witch Hunts

Amidst an epidemic, anger toward outsiders, and simmering hatred between communities of varying affluence, the residents of now Danvers, Massachusetts decided in 1692 to hunt down and blame their sad troubles on a bunch of witches. Culminating in the now-famous Salem Witch Trials, nearly a score of supposed witches including the unfortunate Bridget Bishop were hanged up on Gallows Hill. People eventually came to their senses, but it took time.

Today, amidst an epidemic, anger toward outsiders, and simmering hatred between communities of varying affluence, a segment of American society has decided in 2020 to hunt down and blame their sad troubles on a bunch of . . . cyber security experts. Unlike the Salem Witch Trials, which have become the prime metaphor for unfounded claims of malicious acts, it remains unclear how the present situation in cyber security will resolve.

Let’s start with Eric Coomer. As director of product strategy and security for Dominion Voting Systems, he has been the subject of endless attacks by conspiracy theorists for allegedly performing evil acts. This man, who is a cyber security expert and is likely the direct peer of most people reading this article, has literally had to go into hiding for fear of his life. Let me repeat: A professional peer of yours is in hiding because he is a security expert.

Now let’s visit Chris Krebs. As the former director of the Cybersecurity and Infrastructure Security Agency, he has also been the subject of endless attacks by conspiracy theorists for allegedly performing evil acts during the election. One particularly crazed person suggested that this public servant be “taken out at dawn and shot.” Krebs has responded with a defamation lawsuit, but it is unclear how this will turn out. It has been hard to watch this.

Finally, it’s worth spending time with Joe Sullivan. As the former CISO for Uber, Joe was witness to a cyber break-in that resulted in a massive credential theft. Amidst the fog of security response, bug bounty payout, and internal legal debates, the situation was not reported to the government. Despite evidence that officials more senior than Sullivan, including the lawyers, knew of the break-in, Sullivan was charged personally with concealing a felony.

Sigh. During a time when we should be doing everything possible to strengthen our ability to withstand massive nation-state attacks, such as on SolarWinds, we are instead directing our anger toward those of us serving on the cyber battle front. It’s hard not to be confused, since cyber security seems the ultimate non-partisan discipline. Instead, our profession has become the one place where you get blamed when you are attacked. This is crazy stuff.

It is time to cut this nonsense out. I shouldn’t have to even tell you that spreading social media posts and articles by crazy conspiracy nuts is totally unacceptable. Even if you are firmly in Trump’s court, you must agree to join the community of reasonable professionals, including the team at TAG Cyber, who would never push our security peers into hiding for their lives. Security experts need our support – not our ire. Remember, this could happen to you.

Sadly, it took nearly two decades before the government of Massachusetts humbly apologized, provided financial restitution, and passed legislation to restore the good names of the hunted witches. Let’s hope that we don’t have to wait that long before the experts working hard to protect our society from cyber threats are treated similarly. This article is a call to action for the cyber community be more vocal in our collective support for our peers.