Eric Filiol, head of the Operational Cryptography and Computer Virology lab hosted by ESIEA in Laval, France, was scheduled to give a talk on Friday at the CanSecWest conference in Vancouver, British Columbia.
However, that talk has been canceled after reviewers in the intelligence community deemed it a security risk.
In addition to censoring the talk, they also threatened legal action against the conference and presenters.
In a brief post on the subject, Dragos Ruiu, the founder and organizer of CanSecWest, outlined the basics.
"The French Dept. of Interior (their DHS equivalent) and the U.S. DoD have decided that Eric Filiol's material about network attacks on infrastructure is too dangerous, so they have classified it, disallowing its presentation, and to punctuate their desires with an exclamation point, rattling sabers about prosecution and lawsuits of conference organizers and presenters.
To which I'd like to remind everyone concerned: 'Security by Obscurity, is not much Security at all.' Hiding vulnerability information hinders solutions and mitigation more than it hinders attackers."
In an outline of the talk Filiol wrote that since the beginning of the twenty-first century, there has been a growing awareness and collective hysteria about cyber-attacks and cyber-security.
"In this talk we show how the “cyber dimension” will be used more to prepare and plan future conflicts (from War to simple guerilla and terrorist acts) and not solely to conduct cyber-attacks. The “cyber dimension” is bound to provide more power at the intelligence level than at its operational level. It is the clever and evil combination of cyber and conventional tools that will provide major disruption and chaos effects.
We will illustrate our key ideas by considering the case of the US territory and show, through simulation of possible fictive but operational scenarios (based mostly on the military experience of the speaker and test cases studies) how attackers could provoke major disruption, disorder and chaos in this country far beyond of what the 9/11 was, especially when using carefully the “cyber” dimension.
In this respect we explain what could be an extension of Qiao and Wang’s vision of war. We explain what are the consequences in terms of military doctrine may it be for Homeland security or special forces modes of operation."
Salted Hash has reached out to Filiol for comment, this story will be updated with any additional information as it becomes available.Update:
First, there is the issue of the classification itself. What justification is there for such a dramatic form of censorship? Was the research used for the presentation born classified?
Did Filiol's talk contain classified information he obtained during his research? Does his standing as an officer in the French Army have anything to do with this, given his time in the military has revolved around intelligence, and cyberwarfare? Was he required to send the French Department of Interior a copy of his presentation before his talk for final approval, and this is the method of rejection?
Moreover, there are questions concerning the review process at CanSecWest. Assuming that Filiol didn't share the research on his own, why was the French Department of Interior and U.S. Department of Defense reviewing papers? Did they review everything, or just this single talk?
Were they given the presentations for review, or did they demand access? If they demanded access, what was the legal justification?
Again, as more information emerges, this story will be updated. Given the state of things, where governments are increasingly overstepping their boundaries, censoring a security talk sets a bad precedent.
It isn't a stretch to imagine a journalist having their work classified on the spot, in the interest of protecting the government from embarrassment under the guise of national security. So seeing a researcher have the same done to their work is troubling, but more information is needed.Update 2:
In a statement, Eric Filiol says he pulled the talk himself, and that none of the information that was to be presented was "in any way" based on classified work or data. It was all open information.
"In fact [Dragos Ruiu] misinterpreted my email a little bit. I am sorry for that. I have decided to remove the talk under the wise concerns and request of my governmental contacts. As a former military I was [using] my past military experience combined with OSINT to expose a general methodology with application the USA test case."
"Just imagine that for example you say : "Hey if you go on that bridge and do that, well you can can destroy that bridge" Yet it is open information, from legal point of view it is a clear incitement to terrorism. You know how the USA are mad regarding this. Remember that just uttering the word "bomb" can be prosecuted in the U.S.
In a separate email, he expands further, when asked if the talk can be presented in a redacted form.
"In fact, I think I will never do this talk. Too risky for me that is why -- under the wise advices from my governmental contacts -- I have decided to cancel this talk. From a personal point of view there are too many mad people in the world and I do not [want to have] responsibility that a small group of people use my work to harm people and provoke disruption in modern countries. Of course we can always objct (sic) that if I got the idea others will also. This is partly true since I have combined my military experience as infantry platoon leader with the hacker's mind. As you mentioned, it is a team work and we have talked all together to take this decision. I cannot engage the future of young researchers and brilliant students."
A fair point and argument. It's unfortunate that a researcher presenting valid work fears being seen as someone who is inciting terroristic acts by pointing out fundamental flaws in the nation's critical infrastructure. These issues need fixed, and when a good-guy hesitates we all lose. But his background as a military operative is also valid. If anyone is in a position to make a valid risk assessment of his presentation, he is.