Cloud Should Not Be Spelt FUD
Fear, Uncertainty, and Doubt (FUD) are sadly a corner-stone of those who don't know enough to know better, or those that just don't care if they are wrong. When it comes to information technology, FUD is alive and well in 'cloud computing', at least from the perspective of those who want to make interesting headlines that will throw their readership into a tizzy.
This morning I saw an article over at Computerworld which is unfortunately not an exception to the rule when it comes to creating a stir over a topic that has lots of attention currently. The article is titled "Raytheon hit by cloud-based attack" and goes into detail about a phishing attack that was launched against them and ultimately thwarted by what sounds like a pretty fantastic defense-in-depth deployment there. But I digress, the real topic here is about how Computerworld went ahead making a story about the scariness of cloud computing.
To help frame this, the general FUD was predicated by the statement:
"It was a spear phishing attack where an email was sent to employees at the company, asking them to access an application through a certain link, which was through a cloud service."
While in any other story this may just be a detail of the matter, Computerworld has gone the route of sensationalized journalism to point-out that the cloud is the reason for Raytheon's situation. To the less-technical reader they will likely go, "Wow, terrible things just keep happening in 'the cloud'", where-as I go "Wow, a computer somewhere on the Internet was used for a phishing attack."
The problem here is that these stories where 'cloud computing' are being framed as this terrible, scary, uncontrollable evil make little point as to what it is that allows this attack to be any more terrible than if this had occurred via any number of other types of computing services. Take the analogy that if we were talking about someone getting shot, a press statement saying that "A Ruger was used to kill the man." would mean little to any of us. We wouldn't think that Ruger was somehow a bad brand, or that their weapons are better or worse than anyone else's just because it was involved in a crime.
If this attack against Raytheon had happened from any shared web hosting provider, virtual private server (VPS) provider, dedicated hosting provider, colocation facility, personal computer, McDonald's Wi-Fi, or anywhere else, this portion of the story would have never been included as part of the title (unless it was really interesting, like a McDonald's Wi-Fi attacking Raytheon!).
The point here is that even if the barely-tech-savvy journalists are going to wield cloud computing as their weapon of FUD, we need to prepare ourselves to look past it and just get to the real story. A better title would have been "Raytheon hit by phishing attack; defense mechanisms detect & defeat attacker in two-hours". Now that's a headline I care about and would want to read.