Cybersecurity Journalism: Cutting Through the Noise

Narrator  00:02

This is CyberSound, your simplified and fundamentals focused source for all things cybersecurity.

Jason Pufahl  00:11

Welcome to CyberSound. I’m your host, Jason Pufahl, joined in studio – I love saying in studio – by Steve Maresca.

Steve Maresca  00:17

Hey there.

Steve Maresca  00:18

And we’ve got Greg Otto, Editor-in-Chief of CyberScoop. Greg, thanks for joining.

Greg Otto  00:24

Absolutely. Thanks, gentlemen. Appreciate it.

Jason Pufahl  00:27

So Greg, I’ll say, Greg’s a real journalist. We play journalists as part of our as part of our cybersecurity business, but you know, on a bi weekly basis, this is what he does for a living. So we had the opportunity to connect, had a little bit of a conversation, because we’re certainly both in the security industry, coming about it from slightly different, slightly different ways, but talked a bit about this idea of kind of responsible cyber reporting, and I think in this day and age where we have so much sensationalized, certainly somewhat sensationalized news, a lot of news generated for the purposes of generating clicks and visits to websites, things like that. Something like CyberScoop stands out because I think they approach it a little bit differently. So I wanted Greg, if you could give a little bit of a background, maybe a little bit of background on who you are, how you got into this business. But then, you know, frankly, how you approach cybersecurity reporting and and, you know, in the in the way you do it, I think, because I think it’s meaningful,

Greg Otto  01:32

Sure, yeah, so CyberScoop has been around since in 2016 and we really look at it from a really high level standpoint. I would say our audience is cybersecurity practitioners and cybersecurity minded business folk. And I would say that from the standpoint of you care about everything from vulnerability management to encryption to all of the tech that goes into cybersecurity. You’re going to read CyberScoop, but also, we’re based in Washington, DC. Cyberscoop is part of a website under the parent company, Scoop News Group, leading government and business IT media space. We have a bunch of other publications here in Washington, DC that really focus on technology policy, and cybersecurity policy is a big part of CyberScoop. So we’re constantly talking to the White House, the Office of the National Cyber Director, the National Security Council. We’re talking to DHS and CISA. We know all their leadership well, all the way going back to when it was stood up, and even before then, for those that are familiar when it was called NPPD, like we knew it when it was called that too. So we’re really ingrained there. We’re really talking to all of those experts and really what is going on from like, a federal government standpoint, and also from a Capitol Hill standpoint, because bills get passed, like, as of right now, we’re working on stories that talk about the reauthorization of the information sharing bill that was passed in 2015 so that type of stuff we cover as well. But also, I would say, like, what I like to call like cybersecurity adjacent people, whether it’s like academics, lawyers, insurance firms, like, there’s so much that goes beyond just the technical aspect of cybersecurity that we try to rope in more and more with our coverage. And we’ve gotten, you know, a great, loyal readership and really a community. We think of it as a as a community, and we really get out there to really hear what’s going on and report what’s going on in the industry. But also, like you said, we really don’t want to sensationalize it. My big thing as a journalist, and I’ve been a journalist since I graduated college. I mean, I 2008 it’s really just the hunt for truth, and I think of it as like a practical truth, where it’s like, I’m not afraid, and I never want my reporters to be afraid, to just take a step back and go, Wait a minute. Like, let’s, let’s take a breath. Let’s look at what is really going on here and talk about it from just a truthful standpoint. Like, for instance, we have a big story this week. I’m sure that a lot of your listeners have paid attention to it. It got mainstream media traction that there was this, the breach of all breaches, 16 billion password breach that got picked up by all the place. I was sitting on my couch on on a weekend, and my family just had Good Morning America on in the background, and Good Morning America was talking about this breach and how it was partly responsible for the Aflac breach and partly responsible for the United Foods breach. And I was like, Okay, this is, this is, this is way too much. So i i deputize one of our reporters, Matt Kapko, you know, go talk to experts. Obviously, go talk to the experts that we always talk to. Go out. And I know they’re already talking about this from the standpoint of, well, that’s not really what happened here, like what happened some enterprising cybersecurity criminal went out bundled a bunch of passwords that were stolen from information stealers, bundled them all together and then put up a forum post that said, I’ve got the mother load like this is, this is the breach of all breaches. And it’s not really what happened. It was cumulative. It was not that. It wasn’t worth worrying about, but worrying about it from the standpoint of your Apple accounts hacked, your Google accounts act like every account that you’ve ever had, like 16 billion people, I don’t believe are even on the internet. So it was like two or three, two or three accounts per person. It was all just noise.

Steve Maresca  05:47

And realistically, we’ve already worried about it six months ago and the year prior to that.

Jason Pufahl  05:52

Yeah, right.

Greg Otto  05:54

And from a news standpoint, to me, it was really good to put it out there, from the standpoint of not that you shouldn’t be worried about this to some degree. Like, credential abuse is a big deal. Information sealers are a huge deal. I mean, the FBI has spent the past, I feel like eight weeks primarily, really out in front part of, like, Operation Endgame and a bunch of other opera, yeah, other operations, like Luma Steeler has come down. I think Racoon Stealer has come down. So there is a need to stop this stuff from happening. But just the way that it was framed as, like, every account ever on the internet just got dumped in this big password breach. It’s like, well, no, yes, yes, and no. Like, this is a year’s worth of passwords. It almost is like to me, if, like, somebody were to report today that, like, Donald Trump won the election. Like, yeah, okay.

Jason Pufahl  06:49

But it’s not news.

Greg Otto  06:51

That’s right, that is not news. Like, yes, this is something that we’re all well aware of, for those that have been paying attention to it, so let’s frame it in the right context.

Jason Pufahl  07:00

But people love big numbers. And I think, to your point, that’s the challenge. You know, 16 billion sounds extreme. If you said, you know, 200 incidents of, you know, some million a piece is not quite as sensational. And I think that’s what people are looking for.

Greg Otto  07:15

Yes, you know, unfortunately they are. But I really just think, like, even just going beyond that number, like, I don’t, I don’t go into my newsroom and go to my reporters and go, Hey, what’s the biggest number breach we can write about today? Like, that’s, I’ve never approached a story that way. I will never approach a story that way, like, that’s just, that’s not what I’m looking for. Like I would, I would approach it. And the really, the way that I would want to approach this, and wish more people did was that credential abuse really is still a problem, like it’s a really big problem for the majority of organizations out there. That’s why multi factor authentication is such a big deal. Why so many people, really, you know, companies, large and small, talk about the need to have multi factor authentication on everything, and better password management as well. And really talk about it from a thematic perspective, more than just, oh my God, look at the the destruction that is out there from from all of these breaches. It’s just, it’s a poor framing of it. And we really try to frame it from the standpoint of, let’s not be so breathless about it. Let’s not push FUD out there. Let’s talk about it from the standpoint of the way we want the community to talk about it, and also, like, be helpful for the community. Like, I don’t want, I don’t want to push FUD. Like I never, I never want to push FUD.

Steve Maresca  08:37

We want there to be actionable outcomes and a giant amorphous pile of 16 billion credentials. What do you do with that as a defender or as an individual consumer? The answer is nothing. You can’t go and query a database easily as a single practitioner, it’s probably out of reach for a corporation. Maybe a threat intelligence feed has it available if you are able to afford that type of thing. But realistically, what’s the outcome? Well, not sure. Are we affected by this? Not sure. Determining what the next steps are aren’t really possible to convey or even put your finger on, especially for rinsed and repeated aggregate dumps of credentials like that. I would rather turn it into a conversation around, what defenses do we have that enabled this to be a non issue.

Jason Pufahl  09:28

Right. Yeah, and I think you know that, honestly, that’s what makes kind of what we’re talking about here. You know what you’re doing, Greg, and maybe what we’re doing in some way similar. You know, clearly, we’re not a news org, but our objective here is give people information that they can actually then do something with that is sort of reasonable and practical. We’re always trying to, I think, always trying to make people have the knowledge to be a little bit better. So it is educating. Around AI, and it is educating on, you know, sort of personal security, and is educating on, you know, the challenges that we have with privacy, but then not not talking about it from a fear standpoint, but talking about it about, here’s the risk. Here are some things that you can do to actually make yourself a little bit safer or protect some of the data, maybe for your children, or things that are actually practical and useful. 16 billion doesn’t get you there and right, and it sounds like that’s exactly the same approach that you have.

Steve Maresca  10:27

I think there are related subjects too, where the actual reported issues aren’t exactly squared with vendor representations of a breach and things of that variety that are tricky issues to navigate. And truth always follows on the heels of falsehood and distortion. It’s always playing catch up. I’m thinking back to the Oracle Cloud reported compromise a few months ago.

Greg Otto  10:54

Right.

Steve Maresca  10:54

Was it or wasn’t it? Well, you know, there are claims in all directions, and getting to actual clarity took a really long time.

Jason Pufahl  11:01

Yeah.

Steve Maresca  11:02

And that’s a distraction from the people who are trying to do the right thing. And you have to sink time into that to get to clarity it. It’s, can be a distraction from what really matters.

Greg Otto  11:12

Right. And it’s, you know, it’s funny that you bring up the Oracle Cloud. Part of it is there are times where stories like that happen and inside the newsroom, like, we’ll track them down. Obviously, they’re obviously very newsworthy. But there are times where you might not see anything on our website. It doesn’t mean we don’t know it exists. It’s like, there’s a bar to reach, like, I don’t want that Oracle Cloud was so messy that it was like, it got to the point where it was like, I said to my guys, like, we’re going to need to, like, just back off this. Like it’s too noisy. Nobody’s giving us, like, concrete facts to back anything up. Like there’s just not enough, not enough hours in the day to, yeah, there’s no substance and not enough hours in the day to track all of this stuff down to get it to a point where we can feed the news cycles the way that we need to feed the news cycles, because being in news, this isn’t beholden to just the cybersecurity, technology news industry. It’s the news industry period. It’s the internet. We got to feed the beast, and we’re moving on and finding other stories where we don’t always have the time to sink our teeth into it, and if they are messy, like they were the Oracle Cloud stuff. It does a disservice, because yet we’re not going to report on it because we don’t know the actual truth. But there are answers out there that need to you know, obviously, I bet some Oracle Cloud users could have used some better reporting out there to figure out what exactly it was going on.

Steve Maresca  12:36

So what are some critical questions that consumers of news, consumers of advisories and things like that, can actually use to evaluate the legitimacy, authenticity, the factual underpinnings of what they’re reading, regardless of the venue?

Greg Otto  12:52

I would say that in terms of like in the cybersecurity industry, I would just say, if the publications are actually talking to the like, I think about like the CVEs, a lot of the times, like, we will try to reach out to companies that are not only the ones that are issuing the CVEs, but like that do, just do good work in the space. Like, for instance, there’s been a lot of we’ve covered a lot of news around Avanti. Avanti has had a lot of CVEs in the past six months, and we’ve talked to some experts that we know are very, very tapped into the way that Avanti works, to the actual technology themselves and that are talking to us and are giving good information. And it’s not a one off, like, if you’ll notice, like, we, it’s, it’s just sourcing. Like, if we have good sourcing, we’re going to go back to them, and we’re going to talk to these experts, because we know they’re giving us good information. But it’s also from the standpoint of, like, not everybody in cybersecurity is going to be a catch all. Like, it’s not, like, don’t get me wrong, like we’re not dialing up the same five people for every five stories that we’re doing. We have our encryption experts, we have our windows experts, we have our Mac experts. We have, you know, fill in the blank there on the expertise. We have a really good relationship with our experts that like to talk to us for the same reasons that we were talking about previously, like they know we’re coming at this from the standpoint of we’re not just ambulance chasing, like we are going after the practical truth to say, Okay, if you’re an organization that is affected by this, what, what do you need to worry about, and where does It fit in to your risk level? So that’s I would say, if you are a consumer of this news, look for the look for the depth of talking to experts and the way that we are backing up like their expertise, that is really a big thing too. Like if you keep seeing the same name, and you’re like, if it’s, yeah, something that has to do with, like Kubernetes, or something like on that level, from like an app sec, or an app delivery, and we’re talking to somebody that is like, and you see a story that is like, Oh, well, this person looks like they’re just like a consultant or or it looks like their their expertise is something different. Like, that’s bad, like, that’s somebody just going out and searching for a quote, yeah, just for the sake of having a quote, like, make sure that the expertise that you’re reading about also is coming from people that have the bona fides to speak about whatever it is that they’re speaking about within the context of the story.

Jason Pufahl  15:37

So if I could add on to this a little bit, because I’m curious your perspective. We talked a little bit about AI as we, maybe, as we prepped for this call, but I’m going to ask a different question, which is, how have you seen AI impact news and reporting, and maybe speak a little bit if you could, to the potential your risk that there is in the level of concern people have about misinformation or disinformation, because I’m sure that’s you know, and I think it ties into Steve’s question around, how do you how do you validate or verify where news is coming from and the authenticity of it, right?

Steve Maresca  16:13

There’s a proliferation of AI slop out there. How do you sift through the garbage to get to the meaningful nuggets?

Greg Otto  16:22

God that is, it is such a good question, such a thing that I’ve been thinking about a lot, and that we talk about within, you know, the the journalism ranks itself. It’s tough because, look, I am not. I think a lot of journalists tend to be like anti AI, like, straight across the board, and I’m not exactly there. Like, don’t get me wrong, the proliferation of AI slop is a negative. It’s just, it’s, it’s poor, like, I don’t even understand, like, who is reading it, or, like, why you would even think about it from a business standpoint. Like, I can I get it from, like, a labor perspective, like, but at the same time, like, that’s not beneficial to anybody. So from a product standpoint, I’m like, I think you’re doing your readers and your consumers a disservice. I really look at it from a journalistic standpoint as like, a tool, like, but it’s just a tool. In the same way that like, my phone is a tool. Like, I can record on my phone, like I can look I can read on my phone, like I can have a bunch of different apps that help me. And I think of just generative AI in the same way where there might be some times where I go, you know, writer’s block is a real thing where I might turn around and go, Hey, GPT or Claude or Gemini or whatever. Like, I got this idea that I’m working on, give me five suggestions, and that’s just what it is. It’s just suggestions. And then I’m looking over that, I go, Oh okay, all of these stink, I’ll go back to the well and rely on myself, or I’ll go, oh, okay, no, that’s, that’s good. I like where that is going. And I’ll, introduce the idea, or no, it’s not even the idea. Like the framing, like it’s a writing tool more than like, I’m not turning around to ChatGPT and going, oh, there was a story about 16 billion breaches, ChatGPT. Write me 450 words on that, because what I’m going to get is awful. And it’s getting to the point now where people are starting to recognize it enough like there are these little tells in the way that GPT creates text. Like, it’s really big on emdashes, or it’s really big on like, it’s it’s sentence structure is, like, Scenario A isn’t B, it’s C, and it’s like, oh, people are going, Oh, okay, that’s not, that’s, that’s not the there’s, this is AI slop, like, it’s just, there’s differentiators there. So it’s that being aside, it’s still a profession where, like, I gotta pick up the phone and call people and have human interaction in order to do this job at a level where I’m going to get readership and going to stand out in the industry, otherwise, I am just going to be, like, AI slop, like everybody else, and I’m not, I mean, and then the business folds. Like, that’s obviously not what I want to do. Like, I like having a steady paycheck. So I think, yeah, it’s a tool, and it helps with writing, and it helps with structure, but that’s all it is in my industry. And that’s like, all the positives that I get out of it from like, or I will say, from like, a cybersecurity perspective, because it has crawled the internet. If there is something on a technical level that I don’t understand, I might turn to ChatGPT or one of the other llms and go, Hey, can you explain this to me? Like, help me understand this? Like, on a high schooler’s level, which is really helpful, because then it find it helps me find a way to inject that into a story. Because you never know as an audience, like, yes, we want the expertise and the people that are high up and have spent decades in cybersecurity to read us, but you never know when somebody is going to come across your website. That is, you know, a novice, and they need something explained to them like nobody knows everything in this industry, it’s a new industry. So if there is a student or somebody that has had a career change that is only into this two to three years, and needs help explaining or having a concept explained to them that that AI, yeah, it’s a good tool for that. So it’s, I would say that it is complicated, but I will say that I’m a little bit further on the spectrum than most journalists. Because I do think that most journalists are like, This is bad. This is bad for us. This is a harbinger of bad things that come and it’s like, well, I don’t, I don’t necessarily think so. Like, yes, if you’re if, if you get the sense that an outlet is just whole cloth, ripping articles out of an LLM and putting it up there, it’s going to be wrong, and it’s and it’s a bad and it’s a bad publication, and it’s not going to be around in six months. But I don’t think, I don’t think that.

Jason Pufahl  21:10

But to use it as a tool is not necessarily the wrong thing either.

Greg Otto  21:13

Right.

Steve Maresca  21:14

Yeah, the problem ultimately is that your your readers, are probably confronted with a huge amount of that generated material, and you’re competing for eyeballs in that sense too. Bring it back to vulnerabilities you mentioned CVEs in passing. I mean, there are very robust statements issued by some folks in the bug bounties realm, like with Hacker One and The cURL Project they had some vulnerability reports given to them that were completely unverifiable because they were generated through in some sort of agentic workflow that didn’t actually have grounding in reality. There are real negatives coming out of some of the applications involved that make our job more challenging collectively.

Jason Pufahl  22:02

But so maybe the most basic is you have, if you see news, try to validate it on a variety of different sources. You know, I think that’s part of the challenge. Is oftentimes people, they get tied into one source, and that’s where they get all their information. So, you know, maybe they’re a little bit easier to do than somebody who’s willing to put a little bit of effort into validating what they read and actually corroborating that.

Greg Otto  22:22

Right. So to me, it just comes back to whether it’s journalism, vulnerability management or, like I because I know people sometimes, like doctors use ChatGPT to help, like, with diagnosis, to me, it’s a suggestion, and people taking it whole cloth to insert, like, oh, just, yeah, whatever it says, and I’m just going to put it into whatever workflow that I have. That’s a recipe for disaster across any industry. So going back to, like, the agentic AI and the vulnerability management thing, if you’re talking about that from a code standpoint, and you’re like, Oh, check this code for CVE, whatever, or or a buffer overflow, or, you know, cross site scripting, or whatever, and it gives you something, and it says, Oh, yes, I found it. But if you’re actually doing your due diligence and go, Wait a minute, like that, this isn’t right at all, and you decide to put it into production and just ship it and call it a day. That’s that’s a disaster, like, and that shouldn’t be part of the process at any point, like, to trust, to trust. What is coming out of these LLMs, whether it is just an output that you put in, or it’s something agentic or whatever, I just think that we’re not there yet. I don’t know if we’ll ever get there. I think we’re, I think the industry is moving that way, where it’s getting better and better, but still, at this current point in time, it’s, it’s all verification, like, and that’s, I think that’s maybe why I am not so like, caught up in the negatives of it, because I always verify what I’m doing anyway. Like, I would never trust that whole cloth anyway. So anybody out there you’re doing coding stuff, and you’re just trusting its answers from a security perspective, or whatever technical perspective that you’re doing that’s just bad, like, don’t, don’t do that. Like, verify it. You should be absolutely verifying that.

Steve Maresca  24:16

What would you ask that readers convey in general to you through us in general, to help better frame our attention overall? What are some things that aren’t covered that we, you know, should walk away with in terms of our collective attention into the future?

Greg Otto  24:34

So I think that from an industry basis, really it’s it’s the what we want to learn. And something that is is really, really, it’s a really big theme, in my mind, is that how things practically play out, like we get bombarded by marketing about how x product is going to be the silver bullet in cybersecurity, blah, blah, blah, all this stuff, and there is a bunch of it that is marketing led. But what I want to know, and what I want readers to know, and what I want to be in our reporting, is the way that security is practically handled, whether that is like, I can’t tell you how many times that I’m talking to experts and they’re like, why wasn’t? Why wasn’t this CVE patch like, just patch it. Basically, like riffing on the old Nike. Just do it. Just patch it. And practically, that’s just not how it plays out. Like, we know that’s not how it plays out like everybody’s IT system is unique, and you never want to break anything. And patching can take forever. And I don’t think that, like, that particular angle never gets written about, and that’s just one angle that is an example of what I’m talking about. Like, how does this stuff really play out in a business and in an enterprise? How does all of this mesh together? And then on top of that, it’s okay. Well, what could the industry do to be better when we come across a hurdle or a headache in there? And how do we figure that out industry wise? So we can, you know, get the solutions and actually get to a point where I feel like security practitioners, I hear all the time, are just burnt out beyond belief, like that. That’s not sustainable. It’s just not sustainable. So when it comes to our reporting, we want to be able to not just report on the news, but also talk about things have solutions, so there’s just a little less burnout in the world, and people can gain knowledge and take it back inside their enterprises or back in their communities, like the cybersecurity community talk amongst one another and figure out a better way to do their jobs.

Steve Maresca  26:44

So bottom line, pursue authenticity. Look for it. Discard those things that aren’t, and look for things with nuance, because that’s what’s absent, and that’s what we need.

Greg Otto  26:54

And I would also say too, there is something else that I think a lot like, look it’s hard for us to talk to sources a lot of times for a lot of the stuff that we reach out about, because, look, a lot of this stuff, when it especially comes to breaches, a lot of it gets wrapped up in legalese, which I totally understand. But at the same time, like, I think there needs to be a little bit of a mind shift in the industry where, just because you are a victim and reporters come and want to learn like we want to learn about in order to like, bear witness so somebody else doesn’t have to go through the same thing. And a lot of the times, we talk to people that are afraid to talk to us because they feel that us reporting means that they’re they’re going to be cast at a negative or a negligent light. And that, oh, that has always really bothered me. That bothered me for years, because it’s like, if there’s a bank robbery, the bank doesn’t like unless the bank hung a sign outside on the door that said, free money, nobody’s going to turn around and say the bank was negligent. So I wish there was more of that in cybersecurity, where it was more of just okay, yes, we were a victim, but here’s our victim’s story. And you know, we were just a victim. It was nothing negligent on our own. It’s okay to tell those stories, because I think that that will ultimately get us to a place of having better cybersecurity across the board. When you learn from people that have gone through the toughest times, because I’ve talked to numerous companies that have gone through ransomware attacks, and all of them say it was one of the worst episodes of their lives. Nothing’s going to get better in that regard, unless you share what you can share again. I understand the legalese part of it. I don’t. I don’t want to be wrapped up in a lawsuit any more than anybody else does, but I I always strive to share more of those stories, because I think hearing it from the people side of things, it just resonates more. And I think that hearing it from the people side of things and hearing it from the victim standpoint, it’s going to help raise the bar for cybersecurity across the board.

Steve Maresca  28:53

Invariably, organizations emerge stronger from a breach or from an incident, and sharing how they did so could help others.

Jason Pufahl  29:00

Yep. So, I mean, I think that, and that’s probably a good way to wrap, which is, you know, if you can provide some actionable information that, what did you say takes a little bit of angst out of the world? I think you said it differently than that, but you’re trying to convey, basically, can you make lives easier a little bit by giving some useful information that’s grounded in fact, that gives people the ability to reasonably act.

Greg Otto  29:23

Just bearing bearing witness to what has happened. Yeah.

Jason Pufahl  29:27

Yeah. Well, I mean, that’s great. I I appreciate you coming on, Greg. I appreciate you sharing a little bit about your perspective on how you report. I mean, it’s a hard job, and you’re, to Steve’s point, you’re competing for eyes or ears, depending on the on the medium, but,

Greg Otto  29:42

Both.

Jason Pufahl  29:43

Yeah, and it’s so difficult. And it’s in particular difficult if you are doing a little less of the pure sensationalism and trying to, you know, kind of bear down on facts a bit more, because it might not be as attention getting so I appreciate your focus there. And, you know, wish you the best of luck as you continue down that path.

Greg Otto  29:59

Thank you very much.

Jason Pufahl  30:00

And you know, as always, we end if there’s any questions that anybody has for, sort of, for Greg or for us, right? We can always kind of relay them. Greg, happy to have him back, happy to talk a little bit more about this. I think, you know, reporting and sort of understanding the information you’re getting is is critically important in in frankly, clearly becoming more and more important all the time. So good work, Greg.

Greg Otto  30:25

Absolutely. Appreciate it. Thank you very much.

Jason Pufahl  30:28

Thanks for joining.

Narrator  30:28

We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.