Too Much Information: Canceled Security Talk Deemed Too Risky
French security expert Eric Filiol was scheduled to give a talk this Friday (Mar. 14) about the possibility of cyberattacks on critical-infrastructure facilities in the United States.
But the talk, titled "Hacking 9/11: The next is likely to be even bigger with an ounce of cyber," was abruptly canceled yesterday (March 9), less than a week before it was to be presented at the CanSecWest security conference in Vancouver, British Columbia.
In a Google Plus posting, CanSecWest organizer Dragos Ruiu said that the French and U.S. governments had intervened, classifying Filiol's presentation apparently because of fears that criminals or terrorists could use it as a roadmap for carrying out the attacks on power plants, electrical grids and other pieces deemed critical infrastructure.
The cancellation caused an uproar in the security community as bloggers repeated Ruiu's posting. But in an email message to CSO Magazine's Steve Ragan, Filiol said that although some officials had advised him to cancel, the decision was his own.
"I think I will never do this talk," Filiol wrote. "From a personal point of view, there are too many mad people in the world and I do not [want to have] responsibility that a small group of people use my work to harm people and provoke disruption in modern countries."
A description of the CanSecWest presentation that Filiol had posted on his own blog, then later took down, was still available in Google's cache Monday morning.
The synopsis suggests that cyberattacks by themselves are not enough to secure a tactical military advantage over an enemy and need to be used as part of a larger strategy.
"It is the clever and evil combination of cyber and conventional tools that will provide major disruption and chaos effects," Filiol had written.
Filiol also planned to illustrate his point by simulating scenarios in which "attackers could provoke major disruption, disorder and chaos" in the U.S.
Filiol is head of the Operational Cryptography and Computer Virology lab at Paris-based engineering university ESIEA (École supérieure d'informatique, électronique, automatique) and a former officer in the French army. His research interests include computer warfare, according to his website and resume.
The issue of how much security experts can and should say about the exploits and vulnerabilities they discover has always been contentious. At the RSA security conference in San Francisco last month, Dan Guido of New York security firm Trail of Bits noted that cybercriminals do very little research and development on their own, often relying instead on professional researchers' disclosures to conduct their attacks.
"I haven't seen a whole lot of R&D done by any attacker group anywhere," Guido said. "The kinds of vulnerabilities that get exploited are the kinds where they're handed instructions on how to do it. ... I actually wonder here if we're digging our own grave, or if certain people are advancing the state of the art in ways that, unfortunately, come back to bite us."