by Andy Jabbour
I’ll keep this brief. Security professionals and their organizations, journalists, media organizations, and all those who may have access to security-related privileged information, are acting recklessly and irresponsibly when they publicly post that information, contrary to the designated information handling guidance associated with that information.
Last week, the FBI and DHS shared a document relating to the threat of criminals taking advantage of ongoing telework and conducting a voice phishing (“vishing”) campaign. That report was released to trusted partners and clearly marked as “TLP:AMBER.” TLP:AMBER, according to the link provided on the document (which takes you to a DHS Cybersecurity and Infrastructure Security Agency [CISA] website), states, “Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.” Further, clearly stated on the webpage, “Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.“
On Friday, one well known security journalist decided to publish the Advisory on his website and subsequently, numerous security-focused media sites reported on it and republished the Advisory. As our team conducts continuous collection to inform our activities, we were taken aback by the complete disregard to the TLP and complete failure to respect the security guidance. Many organizations, such as Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs), have long relied on TLP to share information quickly and clearly. Many security groups also rely on TLP and participants’ respect of TLP to share information, and, increasingly, both U.S. Government and state and local government entities (i.e., fusion centers) are also adopting TLP use. TLP works well, is simple, clear and effective. As long as it is respected.
Our country and our many great organizations face an ongoing barrage of threats from criminals, foreign governments and their proxies, unethical competitors, and others. Reporters failing to adhere to basic protocols should not be an additional security threat, but, sadly, they sometimes are.
Fortunately, there was nothing highly sensitive in the Advisory, but that’s not the point. For information sharing to work, there has to be trust. When trust is broken, it causes challenges to the entire information sharing community that is involved. In this case, there was absolutely no need to publish the Advisory. It was irresponsible, reckless, and showed poor judgement and lack of respect. Poor choice by the journalist that did it (one who generally provides a lot of great reporting and really had no need to make this choice), and a poor choice by all those (usually very good) outlets that reported it.
When reporters and media behave like data leak sites, they lose credibility and violate the trust of those who often count on them. If a reporter is really compelled to report on trusted information, report on it, but there is absolutely no need to publish the document. I respectfully challenge everyone to do better.
