Word of mouth (figuratively speaking in 2022) and reputation are everything in the tech industry. Specifically, the question that follows “How does it work?” and “How much does this software or hardware cost?” is often “How secure is this product?” The answers to these questions go a long way in determining the success of the business behind them. If a commercial router, for example, works great and is inexpensive but insecure, as evidenced by bugs, data breaches, or pen tests, lawyers, competitors, journalists, or customers on social media will often transmit this information quickly. . Sometimes the tech company will attempt to do damage control by bringing the defect or violation to public attention before anyone else can. By setting the tone of the narrative, the company can often gain or retain the trust of the consumer and its stakeholders and mitigate misleading rumors and gossip from other sources. Sometimes the company does not have time to exercise this strategy and if the public hears it from another source, it could have negative effects. Sometimes, as in the case that is about to be discussed, despite what the company does to soften the blow, another version of the facts is put forward and can lead to uncertainty about the company. The libel case, Ubiquiti vs. Krebs on Security, filed last week in the United States District Court for the Eastern District of Virginia last week, touches on many of these issues.
Brian Krebs runs a well-known security blog called Krebs on Security. Krebs, no stranger to libel law, was a reporter for the Washington Post for 14 years and became a self-taught cybersecurity guru. His blog is extremely popular and generally viewed favorably by the industry. In an academic environment, cybersecurity being a subject that evolves almost daily, blogs like his are a great help for professors by demonstrating the practical applications of security tools and policies. Ubiquiti, on the other side of the conflict I’m about to dive into, is a company that produces and sells a wide variety of networking devices and software, both wired and wireless, for end users as well as Internet service providers and other technologies. businesses.
Make Cyber Breaches Public
At the end of 2020, Ubiquiti discovered that its cloud infrastructure had been accessed without authorization. They assembled an investigation team and continued to explore the source, while the hacker began demanding ransoms in exchange for withholding sensitive information. Ubiqiuti informed the public and its investors in February of the breach and the ransom, which they had not paid. Further investigation by Ubiquiti led them to believe that an insider had carried out the hack, leading them to turn the matter over to the FBI for investigation. The insider, Nickolas Sharp, was investigated and charged with theft and extortion. However, during the investigation, Sharp decided to promote his claim that a whistleblower disclosed a cover-up via Krebs, who interviewed him for his blog. The article referred to Sharp as a source named “Adam”, who failed to mention he was the blackmailer and the inner threat, while claiming that Ubiquiti was covering up an outside attack, misinterpreting and hiding information to its stakeholders.
The interview was published on Krebs’ blog on March 30.and, after the search warrant was executed on Sharp’s property but before he was formally charged, which did not occur until October. Ubiquiti argues (for the sake of brevity I summarize) that Krebs implied that Sharp (aka Adam) was credible and knew he was not, that Krebs’ wide circulation caused others to report this story or a similar story, and that Krebs, had he done his homework, should have known that Ubiquiti had disclosed the breach weeks earlier. Krebs also wrote another article on the matter later without noting that “Adam” had in fact been charged. Here is the link to the article for those who want to analyze for themselves:
The elements of defamation are simple:
A false communication made to a third party made by another, who knew or should have known that the communication was false but failed to exercise due diligence, causing damages to the plaintiff. What we don’t know is where that needle of due diligence standards, in the eyes of a court, should rest and what other information Krebs may have used to corroborate Sharp’s story.
The case has correlations to similar stories passed on by national security personnel, where individuals leak classified information and then later claim whistleblower status. There’s a loose track record of holding publications accountable for noticing or knowing the difference, but Krebs’ libel lawsuit will shine a light on the evolving world of insider threats and cyber breaches.