Too Much Information: Canceled Security Talk Deemed Too Risky

French security expert Eric Filiol was scheduled to give a talk this Friday (Mar. 14) about the possibility of cyberattacks on critical-infrastructure facilities in the United States.

But the talk, titled "Hacking 9/11: The next is likely to be even bigger with an ounce of cyber," was abruptly canceled yesterday (March 9), less than a week before it was to be presented at the CanSecWest security conference in Vancouver, British Columbia. 

MORE: 10 Reasons to Fear a 'Cyber Pearl Harbor'

In a Google Plus posting, CanSecWest organizer Dragos Ruiu said that the French and U.S. governments had intervened, classifying Filiol's presentation apparently because of fears that criminals or terrorists could use it as a roadmap for carrying out the attacks on power plants, electrical grids and other pieces deemed critical infrastructure.

The cancellation caused an uproar in the security community as bloggers repeated Ruiu's posting. But in an email message to CSO Magazine's Steve Ragan, Filiol said that although some officials had advised him to cancel, the decision was his own.

"I think I will never do this talk," Filiol wrote. "From a personal point of view, there are too many mad people in the world and I do not [want to have] responsibility that a small group of people use my work to harm people and provoke disruption in modern countries."

A description of the CanSecWest presentation that Filiol had posted on his own blog, then later took down, was still available in Google's cache Monday morning.

The synopsis suggests that cyberattacks by themselves are not enough to secure a tactical military advantage over an enemy and need to be used as part of a larger strategy.

"It is the clever and evil combination of cyber and conventional tools that will provide major disruption and chaos effects," Filiol had written.

Filiol also planned to illustrate his point by simulating scenarios in which "attackers could provoke major disruption, disorder and chaos" in the U.S.

Filiol is head of the Operational Cryptography and Computer Virology lab at Paris-based engineering university ESIEA (École supérieure d'informatique, électronique, automatique) and a former officer in the French army. His research interests include computer warfare, according to his website and resume.

The issue of how much security experts can and should say about the exploits and vulnerabilities they discover has always been contentious. At the RSA security conference in San Francisco last month, Dan Guido of New York security firm Trail of Bits noted that cybercriminals do very little research and development on their own, often relying instead on professional researchers' disclosures to conduct their attacks. 

"I haven't seen a whole lot of R&D done by any attacker group anywhere," Guido said. "The kinds of vulnerabilities that get exploited are the kinds where they're handed instructions on how to do it. ... I actually wonder here if we're digging our own grave, or if certain people are advancing the state of the art in ways that, unfortunately, come back to bite us." 

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • house70
    Nah. They threatened him if he held the presentation. Since exposed security holes lead to patches almost 100% of the time (unless the operators are completely irresponsible, in which case we have a much bigger problem than a public presentation), such a cancellation is irrational. I can't believe that a security expert would embrace a "security through obscurity" approach.
  • curiosul
    You can avoid facing reality (uncovering security holes). But then you can't avoid the consequences of avoiding reality (cyber attacks).HOWEVER, in a country where FEELING SAFE is praised (way) more than BEING SAFE (what? there's a difference? who knew?), that's expected.And google is so stupid for paying people to find software bugs!
  • dalethepcman
    Part of performing ethical hacking research is being discreet with vulnerabilities that you discover. You first give the entities that it would impact time to evaluate and duplicate your findings then make a plan to mitigate the issue weather that be patching or replacing, duplicating or hardening of infrastructure.If a bunch of men in tinted out SUV's dressed in black suits came to my house and told me the contents of my speech next week could lead to terrorist activities disrupting the lives of thousands or millions of people and causing untold damage to critical infrastructure systems and potential loss of life I would have a serious reconsideration of who I disclosed that information to as well.