What the security industry can learn from the World Health Organization
As soon as the听cybersecurity firm CrowdStrike announced its discovery听last week of a computer vulnerability it dubbed "Venom," the ominous headlines began.
"Venom vulnerability: Serious computer bug shatters cloud security," wrote Fortune.
But as buzz died down and more experts weighed in, much of the initial dread about Venom turned to a collective shrug. "Blinked and you may have missed [Venom]," The Wall Street Journal wrote just a day after it said the vulnerability was sending companies "scrambling."听The vulnerability is indeed widespread, but most agreed it would be difficult to exploit. The initial surge of press attention may not match the actual danger.
鈥淭he sexier the name, the more media attention,"听says Christopher Dawson, editor-at-large for the blog from network security firm Fortinet. "Yet when you [name bugs], it creates this sensational thing.鈥
The National Vulnerability Database, a government-hosted repository of computer bugs, ranks Venom just past the borderline between medium and high risk 鈥 a 7.5 out of 10. But this year alone, it has listed nearly 800 bugs as high risk, and there is no shortage of 10s. Many of those involve听extraordinarily popular software programs such major operating systems and Web browsers.
But few rivaled the publicity that Venom generated for听CrowdStrike. And that's because most bugs just go by their serial numbers assigned before being listed in the database. Venom, which even had a slick logo, had a marketing and public relations team working behind it.
Drumming up attention for some bugs can turn into a victory for cybersecurity firms, but may pose a problem for the broader computer security field,听says Mr. Dawson and other experts, because it steals attention from other, more dangerous flaws.听But he's come up with a solution: When it comes to selecting names for computer flaws, the security industry should look to another industry that knows a thing or two about naming maladies.
The听World Health Organization, he says, gets it right. And its , he says,听could perfectly translate to the computer security industry.
WHO鈥檚 way
The WHO has been examining the problems that arise from naming for more than a decade but just released听guidelines for the process on May 8.
Typically, the piece of information people hear about a disease isn鈥檛 a symptom. It鈥檚 the name. And first impression can carry consequences. In 2009, Egypt ordered the slaughter of 300,000 pigs, believing it would help stop transmission of the Swine Flu. But doctors who听diagnosed patients with swine flu are usually thought to have contracted it from other humans 鈥 killing pigs likely would do very little.
鈥淲e did an intensive process over more than a decade to investigate all the ways naming could be misleading or just not provide a good description of a disease, including both past and potential problems,鈥 says Dr. Elizabeth Mumford, a researcher who worked on the WHO guidelines.
Past problems included names that were misleading (such as Swine Flu), diseases named after people rather than describing the problem, names that were hard to pronounce or remember, and 鈥 in a move that generated criticism that the WHO was being overly politically correct 鈥 names that seemed to imply a disease was specific to a certain location.
鈥淭he Spanish Flu didn鈥檛 originate in Spain, and wasn鈥檛 confined there,鈥澨齅umford says, as an example. 听
The same kinds of misleading, not descriptive, and hard to remember names abound in the computer security realm, too. Malware, vulnerabilities, and hacking outfits that choose not to identify themselves are now named by the security researchers who discover them. Usually that means names are chosen more for marketing value than听for conveying information.
And that鈥檚 where the security industry would run听afoul to key WHO guideline: Don鈥檛 choose names that cause 鈥渦ndue fear.鈥
'Undue fear'
The trend of naming all vulnerabilities isn't that old. It started with Heartbleed in April of last year. The name was fitting; it was a glitch that bled data from the 鈥渉eartbeat鈥 function that verified connections stayed open in a massively popular Web encryption platform. And more than that, it was vulnerability historic in the terms of its size and potential damage. It deserved a name.
That didn鈥檛 mean the name wasn鈥檛 also a marketing effort on the part of听Codenomicon,听the vulnerability detection tool company that discovered it.听Codenomicon听registered the domain 鈥渉eartbleed.com鈥 and designed what would become a ubiquitously used bleeding heart logo before they notified听all of the developers who would be affected by the vulnerability.听
Then there was ShellShock, WinShock, Sandworm, and an entire legion of cute names derived from acronyms 鈥 Poodle, Ghost, Freak, and, last week, Venom.听It seems almost impossible to announce a big听vulnerability without a name, whether you want to not.听The consulting firm听JAS Global Advisors expected a major Windows bug they made public in February to be known by its vulnerability serial number, called a Common Vulnerabilities and Exposures number, or CVE. It still became known as JASBug.
Most often, those names aren't particularly telling when it comes to conveying what actually needs to be fixed.
"Sandworm wasn鈥檛 even a worm," says Dawson.听In computer jargon,听worms are听specific types of malware. Sandworm referred to both a Russian hacking group and the vulnerability it frequently exploited.
Venom was a bit more descriptive; it stands for听Virtualized Environment Neglected Operations Manipulation and is, in fact, a bug that affects the networking process called virtualization. But many other bugs affect this process. A more descriptive name, for example, could have mentioned that the bug was in the code for floppy drives.听
CrowdStrike declined to comment for this story.
鈥淲hat ends up happening is named vulnerabilities get more attention regardless of how much they deserve it,鈥 says Chris Eng, vice president of research at the Massachusetts cybersecurity firm听Veracode. 鈥淭he intuition is, if it鈥檚 branded, it鈥檚 more dangerous.鈥
Applying the WHO Guidelines
Mr. Eng suggests that, in an ideal world, the industry could go back to the old days, and refer to vulnerabilities by their Common Vulnerabilities and Exposures numbers. 鈥淭hey鈥檙e only eight numbers,鈥 he says. 鈥淭hey aren鈥檛 that hard to remember. And the first four are the year.鈥
But he also acknowledged that the cat was out of the bag, and research companies are now accustomed to having their own individually named, marketable vulnerabilities. Even if they weren鈥檛, there are times where it鈥檚 extremely useful to be able to discuss vulnerabilities without worrying about typing CVE 2009-1324 when you meant CVE 2009-1423.
This is where the WHO guidelines could be useful.听
WHO suggests short, pronounceable acronyms for names. Its prototypical disease name听is SARS: memorable enough as an acronym without causing the same undue fear as a name like听Venom. Venom,听and bugs like it,听for instance could just as easily听be described as a Virtualization Escape Vulnerability, or VEV, says Dawson of Fortinet.听
But unlike the cybersecurity industry, the healthcare profession has strong governing bodies such as WHO at its center, and hospitals don't see the same marketing value in a threatening disease name. Dawson says听trade groups could play a similar role and dissuade the industry from racing to come up with the coolest names and marketing campaigns.
When it comes down to it, Dawson听doubts the names are what most people in the industry want anyway.听"Developers don't want logos," he says. "Marketing wants logos."
听
