#Cyberclown: Hype mechanisms in public OT security discourse

And why it’s our job to name them

Cybersecurity, even security for critical infrastructures, was on TV! And not just anywhere, but in Jan Böhmermann’s late night show. The ZDF Magazin Royale of Oct 7, 2022 is dedicated to IT security from minute 9, hashtag #cyberclown, and as a result, the president of Germany’s Federal Office for Information Security (BSI), Arne Schönbohm, lost his job.
But the cyberclown story is not really a cybersecurity story at all, even if it looks like one. Instead, it’s a story about media outlets that conjure up scandals on a thin research base and politicians who use scandals to publicly justify non-publicly made decisions.
You don’t care about any of that, you’re just here for OT security?

Unfortunately, it still matters to us in our OT security niche. Because as “critical infrastructure security”, OT security is currently morphing from a niche topic into a political battle term. Our topics are becoming more political than we were used to. How does this happen? By recurring hype mechanisms that emotionally charge the public discourse on critical infrastructure security and make it unobjective. These mechanisms are what we should be talking about here — because we, the OT security niche dwellers, are the ones needed to name them and cool down heated tempers.

But let’s take it from the beginning.

Context: #Cyberclown

The cyberclown story is quickly told: By #cyberclown, late night host Jan Böhmermann means BSI President Arne Schönbohm. Quote selection: “The biggest security risk is people sitting on posts.” / “There is a security risk with a bald head.” / “A hitherto unknown, huge, bubbling leak in the German competence pipeline in IT matters.”

The goal of the Böhmermann broadcast was quite clear: to remove Schönbohm as president of the Federal Office for Information Security. And the goal was achieved just eleven days after the show aired, when Federal Interior Minister Nancy Faeser recalled Schönbohm. For now — because Arne Schönbohm is suing against his dismissal.

The Böhmermann plot that led to all this is built on four elements:

Arne Schönbohm has not been particularly popular among security experts, who say he lacks technical expertise and has too many lobbying connections. All this has been going on since he took office in 2016, which is where the term “cyberclown” comes from — from a ZEIT ONLINE article from 2016.
Old News.
Cyber-Sicherheitsrat Deutschland e.V.: Arne Schönbohm hat den “Cyber-Sicherheitsrat Deutschland e.V.” mitgegründet, einen dubiosen Verein, der so tut, als sei er eine offzielle deutsche Behörde. Der jetzige “Präsident” des Vereins, Hans-Wilhelm Dünn, steht gemäß Berichten von 2019 Russland bzw. russischen Geheimdiensten nah. Doof bis dubios, aber Arne Schönbohm hat sich und das BSI sogar schon öffentlich von dem Verein distanziert.
Old News.
Cyber-Sicherheitsrat Deutschland e.V.: Arne Schönbohm co-founded the “Cyber-Sicherheitsrat Deutschland e.V.”, a dubious association that pretends to be an official German authority. The current “president” of the association, Hans-Wilhelm Dünn, is close to Russia or Russian intelligence services, according to 2019 reports. This is dumb and without doubt a bit shady, but Arne Schönbohm has even already publicly distanced himself and the BSI from the association.
Old News.
Protelion: One of the member companies in the “Cyber-Sicherheitsrat Deutschland e.V.” association is Protelion, German offshoot of a Russian IT security company founded by an ex-KGB member. The company appears to be just as dubious as the association. Their software would probably not be recommended to anyone, critical infrastructure or not.
What is missing: the “so what”. We do not know what advantages the dubious company has from its membership in the dubious association and whether the software is used anywhere in German critical infrastructures or by the German government. This raises exciting questions that could be investigated, but as of now, these are nothing but:
Unsubstantiated assumptions.
Arne Schönbohm recently gave a speech at the 10th anniversary of his dubious association, although he had actually distanced himself from the whole thing. These are the only real news in the matter. One can rightfully criticize his appearance, at the very least it is politically instinctless. But without all the fuss, would that have been enough to make a president of a federal authority resign from office within eleven days?

The cyberclown story is therefore not a security story at its core, even if one of the protagonists happens to be — or rather was — the head of the Federal IT Security Agency. Instead, it’s a story about the media, which use thinly researched facts to fabricate scandals, and politicians, who use scandals to publicly justify decisions that were not made in public.

Talking publicly about dry topics: Framing for relevance

At this point, we could draw a line under the Böhmermann and #Cyberclown cause with the conclusion: Doesn’t really affect us hard hat wearers that much.

But unfortunately it does.

Hier könnten wir nun einen Schlussstrich ziehen unter die Cause Böhmermann und #Cyberclown mit der Erkenntnis: Tangiert uns Schutzhelmträger eigentlich nicht so sehr.

Tut es aber leider doch.

After all, the issue has nothing to do with the security of critical infrastructures. However, Jan Böhmermann very deliberately moved it in this direction, and this is not an unusual case.

As “critical infrastructure security”, OT security is currently morphing from a niche topic into a political battle term. Our topics are becoming more political than we were used to. Our standard repertoire of terms, concepts, and critical thinking, which we have so far used carelessly and mostly without any political intentions, is acquiring connotations that can be used to stir up public opinion.

Journalists need to explain to their readers, listeners and viewers why an unwieldy topic is topical and relevant (and technical topics are always unwieldy).

Once a way has been found to frame a technical topic for relevance, a way to stick the adjectives “ topical” and “relevant” to the issue, this “relevance frame” often becomes self-perpetuating, used in hundreds of texts, until at some point all that needs to be done is to drop a buzzword: Electric motors? Energy transition! Heat pump? Gas crisis!
The vocabulary of our little cybersecurity niche is now also part of a frame for relevance. Our words are becoming buzzwords that can be used to make the party-killer topic of security somehow sound topical and relevant to the average citizen.
Security? Critical infrastructure! Russia! Cyberwar!

Making the relevance of technology topics tangible is not a problem, of course. It only becomes one when the buzzwords are dropped not to make logical connections visible, but to cover up a missing connection or to suggest one where there is none. The relevance frames then become hype mechanisms that, paired with humour, are a great glue to make up for missing logical connections. The result is a scandal without a properly researched basis.

Four hype mechanisms in cybersecurity reporting

What does this have to do with us? Our job is to identify and name hype mechanisms that frequently occur in security reporting. The Böhmermann show is an excellent educational example for security hype mechanisms. A few samples:

Hype mechanism 1: “critical infrastructure” namedropping

Anything with security in its name is surely protecting critical infrastructure in some way.

According to Böhmermann, Protelion GmbH “sells software to German companies so that the critical infrastructure can protect itself and somehow also the entire country from access”. Sound vague? It is. But Böhmermann uses this mechanism a few more times. In the end, one gets the impression that such wacky technologies as VPN are actually only available from Protelion and that no German company — CRITICAL INFRASTRUCTURES EVERYWHERE! — would get by without a Russian VPN.

Hype mechanism 2: FUD

There has already been a real incident with real consequences, so there must be a realistic threat.

Sure, VPN has to be explained — what is it actually needed for? Remote maintenance of critical infrastructures (see above), and of course the only real example we have of a Russian attack (more precisely: collateral damage, but that’s details) on German critical infrastructure (more precisely: wind turbines of a manufacturer whose operation was never endangered, but again: details) has to be used. It is about the failure of remote maintenance for Enercon wind turbines due to the attack on the satellite operator Viasat, see Hardhats briefing from May 2022.

The mechanism is well known as sowing “FUD” — Fear, Uncertainty and Doubt. Incidents are great for this. That’s why so many security companies advertise incidents. Did they have any impact at all? Does the content of the incident have anything to do with what we are talking about right now? It doesn’t matter, it could be. That will have to do.

Hype mechanism 3: gatekeeping

If you don’t understand the reference, it’s you, not the reference.

There is no evidence whatsoever that critical infrastructures actually use software from Protelion. The only “evidence”: The BSI writes on request that it does not know whether Protelion is used anywhere in the federal government. That’s not much, but it could theoretically be a scandal, and a good Böhmermann joke will get you over any doubts that arise.

Gaps in logic are glossed over with mockery and (partly justified) general criticism. Sure, the German government has no clue about IT, giggle. Every “insider” just knows Russia means everyone harm — sure, the evidence is thin in this case, but if you dont get it, you’re just a noob, #cyberclown, giggle.

This is not just fun, it is dangerous. After all, you don’t have to prove logical connections. It’s enough to insinuate them and let the listener assumes the rest. And anyone who doesn’t get it is simply not a real hacker. When an entire community celebrates references and inside jokes, fewer people dare to question the validity of the references and not laugh along with the jokes. This is called gatekeeping, and the IT security bubble is exceptionally good at it.

Hype mechanism 4: Not refutable speculations

Experts suspect that…

Last but not least, although not security-specific: Of course, you can always leave out the facts that would spoil your story — and instead simply create others yourself by asking the right experts.

Not long ago, Arne Schönbohm was criticized because the BSI issued a blanket warning against Kaspersky software because of Russia, cyberwar, critical infrastructures — you get it. Doesn’t really go well with exaggerated closeness to Russia, does it?

So, better cut that info and fill the gap with a better story. And it’s always a better story if you can tie a security story (an incident, a threat, whatever) to someone that is accepted as a villain. A good story needs protagonists and antagonists. Most of the time, there is no evidence for such an attribution because it is technically very difficult. But there is always “an expert” who will make a more or less well-founded speculation. And this speculation has almost always the same content (Russia did it), which is usually accepted unquestioningly and quoted dozens of times. There’s no risk for the expert: It’s as hard to disprove as it is to prove.

Get out of the dark mode!

When you deal with cybersecurity day in, day out, it’s clear that such hype mechanisms get on your nerves. You may quickly recognize them and be inclined to close the newspaper or scroll past the news in annoyance.

But: These cybersecurity hype mechanisms can only be recognized and named by those who are sufficiently deep in the topic, know the context and history — and can thus judge what is a lot of hype about nothing and what it is really news that needs to be taken seriously.

In other words:

Dear cybersecurity niche dweller, even if you’re not used to it: get your head out of your dark mode and help deflate the hype. Make the cybersecurity hype mechanisms visible whenever you encounter them so others can see them too.

It is our task to ensure that critical infrastructure security does not become a political battle term.