Security Q&A: reporter Joseph Menn
Joseph Menn has been a cybercrime and technology author for more than a decade for the Financial Times and Los Angeles Times. His exploits in infiltrating the infamous Russian Business Network — during which his life was threatened — are detailed in his book Fatal System Error. Menn tracked cybercrime from San Francisco to Costa Rica and from London to Russia, uncovering everything from petty theft to state-sponsored assaults and economic espionage by the Chinese and Russian governments.
Joseph Menn (Credit: Darren Pauli/ZDNet Australia)
Name: Joseph Menn
Position: reporter, The Financial Times
Career: Menn has published almost a dozen books on cybercrime. Since joining the Los Angeles Times in 1999, he has covered all manner of IT news.
ZDNet Australia: why did you enter the information security industry? What do you find most interesting about it?
I have always covered cybersecurity and something else. I'd love to just cover cybersecurity, but one has to pay the bills.
I like writing about bad guys because sometimes they show flaws in the system that are part of larger issues. I covered security when disaffected teenagers crashed Yahoo, and then there was this huge shift in 2003 to 2004 when the viruses stopped being about proclaiming love for a stripper called Melissa and started being about big business. That was a big deal. I felt that the organised criminals behind malware had to be discussed and I devoted years to it.
In your investigation, two Russians got off on probation for US$10 million in fraud. Is law reform required?
It would be nice, especially if countries like Russia adopted [reform], perhaps the EU Convention on CyberCrime, which isn't going to happen. This ecosystem is untouched. Most of these criminals operate with no fear of prosecution, and their biggest fear is getting their bots taken from them by other gangs.
How honest do you feel security companies are?
In general, I believe the security companies do good. They sell good stuff and legitimately try to inform people as to why they need their products. It is unfortunate that with a lot of these products you are still not protected, which is a harsh reality. The latest and greatest Zeus still escapes most antivirus. It doesn't mean you shouldn't get it, but it shouldn't give you a false sense of security.
Some say user education is misguided, that the answer is in better software code and tougher penalties. What do you think?
Do all of those things and it still won't be enough, but there is no reason not to educate consumers. American students can get credit in high school for learning to drive. The same should be done for cybersecurity. You can sue for bad code, but big buyers can insist on a baseline of security.
I have heard noise about an online identity scheme in the US. What's your take on that?
There's been a lot of bad reporting around that: there is no plan for a national identity or online passport. It is a system of greater voluntary authentication so that users can log into banks and travel to other sites with greater security. It is a project of Whitehouse cyber-security adviser Howard Schmidt and it needs support. It has been driven from the start with privacy, consumer controls and transparency in mind. It could work in Australia.
How much do you read into cyberwar?
There has been a great deal of attention given to the concept of cyberwar in the last year. A lot of what has been said is exaggerated and scenario-driven, but it is bringing light to the less-sexy issues in information security which centre on fraud. By and large, I do not believe the cyberwar issues will come to pass. But then Stuxnet is the first instance where self-propagating code has knocked over real-world infrastructure, and it seems very likely that people will re-appropriate it.
So what is your advice to critical infrastructure owners?
There needs to be attention paid to it. In the US there is not good information sharing between the government agencies in the know and operators of critical infrastructure. The feds don't have the authority to tell a critical infrastructure operator to fix a problem in a certain way. There is some legislation [the Rockefeller/Snowe Bill and the Leiberman Bill] in Congress that could clear this up, but it was shut down. Everyone in the US House of Representatives is worrying about getting re-elected in November, and cybersecurity, no matter what the hype, is not something that gets someone into office.
This year, we've had half a dozen significant data breaches —
That you know of.
Indeed. Lush was one. What did you think of it?
That was embarrassing. The database was not encrypted.
Vodafone was another bad one. The telco spent millions of dollars on a customer database yet may have shirked on spending to protect it. So if such a large company won't spend the cash, what hope is there for information security?
All businesses are financially oriented, and penalties either metered outside the civil justice system or by regulators would be an enormous help. Unless that happens, the stuff will continue.
Verizon said data-breach notifications do not reduce data breaches. Do you agree?
I do not agree with that. We didn't know how many data breaches there were before; it has enabled cyber lawsuits, which are a good thing because they draw press attention and scrutiny when they occur.