As I have promised in previous posts, I will continue to use this space to publish comments and letters we receive on our coverage. This most recent comment came from someone read our news item a few weeks ago about the recent spearphishing attack on the White House. Our reader noted:
"Infosecurity should not be spinning stories like the White House Phishing email. This wasn't a data breach. This was nothing more than everyday phishing. Let’s use the correct terms when describing events and incidents and not get into the 'cry wolf' type of editorializing."
– David Jordan, CISO, Arlington County (Va.)
Allow me to respond to each point in turn. First, I do agree with David that Infosecurity should not ‘spin’ stories, as the aim of our news items is to provide comprehensive, objective coverage – as any good news organization should. Then there is David’s assertion that this was not a data breach. This may not be so clear cut, but I do agree with his call for use of proper terms.
As any infosec professional is fully aware, attacks like spearphishing are one of the primary means used to infiltrate the networks of high-net-value organizations, such as the White House. And, what exactly constitutes a data breach is also a matter of opinion – it is itself a term with no precise definition. I rather like the one provided to me by the John Colley of the (ISC)², which I used as fodder for a recent editorial:
“Given that security is usually defined in terms of confidentiality, integrity, and availability, it can be argued that a ‘breach’ of data or otherwise could be a breach of any of these attributes”
So, if you like this rather ‘umbrella’ definition for the term data breach, as I do, then it appears that a successful spearphishing attack on a network at the White House would fit the bill. Logically, a successful penetration by a spearphishing attack is a compromise of both confidentiality and integrity, and therefore a breach. Again, you may not like the definition, which is a view I can fully understand.
A re-reading of the news item demonstrates that our news editor, in this case, presented both sides of the story: the unofficial reports that hackers linked to the Chinese government used this spearphish to penetrate one of the US Government’s most sensitive computer networks; and then the official response from the administration that the attack was detected and stopped. Our news editor did not assume one version to be more correct than the other – he simply presented both sides of the story, leaving it to the reader to draw their own conclusions.
But having taken issue with David’s criticisms, I do believe his assessment is correct when reading the concluding paragraph of the article:
"So, was the White House attacked? Of course it was. By China? Yes, along with myriad other nation-states, criminals and hacktivists. Was it breached? Quite possibly. How deeply was it breached? We’ll probably never know."
These comments, while not in error, do reflect the commonly held view of many in the field of infosec/cybersecurity. Has the Chinese government attacked White House networks? Of course it has; but, conversely, the same can be said for the US government, which has undoubtedly engaged in the same tactics with respect to China and many other governments. But, if you read the comments from a perspective purporting to be news coverage, I do believe they occupy a rather gray area between news and editorial, and for this I do thank David for taking the time to send over his candid comments, and hold us accountable.
I hope our other readers will continue to do the same.
How do you define a data breach? Do you agree with the definition I have used in this post? If not, I would welcome you to follow in David’s footsteps and post your comments – and definitions – below.
Update:
David graciously sent me the following response to my post -- thanks again!
"I discussed the article with our Security Compliance committee this morning. The consensus was Spear Phishing is not a data breach. It can lead to a social engineered breach or malware downloads that are used to gain access to support a breach but Spear Phishing is generally not an unusual experience for most network operators... we don't always have time to read each and every article but we'll continue to enjoy what you publish and hope you'll keep in mind our thoughts. Clarity is more precious than gold in a world where most precision is blurred by spin."