Word of mouth (figuratively speaking in 2022) and reputation is everything in the technology industry. Specifically, the question that follows “How well does this work?” and “How expensive is this software or hardware?” is often “How secure is this product?” The answers to these questions go a long way in determining the success of the company behind it. If a commercial router, for example, works really well, and is inexpensive but not secure as evidenced by bugs, data breaches or pen tests show, lawyers, competitors, journalists, or customers on social media will often bring that information forth in rapid fashion. Sometimes the technology company will attempt damage control by bringing the defect or breach to the public’s attention before anyone else can. By setting the tone for the narrative, the company can often gain or retain trust from the consumer and their stakeholders and mitigate erroneous rumors and gossip from other sources. Sometimes the timing is not possible for the company to exercise this strategy and if the public hears it from another source, it could possibly have negative effects. Sometimes, as in the case about to be discussed, despite what the company does to lessen the blow, another version of the facts is brought forth and can lead to uncertainty about the company. The defamation case, Ubiquiti vs Krebs on Security, filed last week in the United States District Court, for the Eastern District of Virginia last week, touches on several of those issues.
Brian Krebs runs a well-known security blog entitled Krebs on Security. Krebs, no stranger to defamation law, was a Washington Post reporter for 14 years and has become a self-educated cybersecurity guru. His blog is wildly popular and generally looked at favorably by the industry. In an academic environment, with cybersecurity being an evolving topic almost daily, blogs such as his are a great aid to faculty in demonstrating practical applications of security tools and policies. Ubiquiti, on the other side of the conflict I am about to dive into, is a company who produces and sells a large variety of networking devices and software, both wired and wireless, for end user consumers as well as Internet Service Providers and other tech companies.
Going Public on Cyber Breaches
In late 2020, Ubiquiti discovered its cloud infrastructure had been accessed without authorization. They assembled an investigative team and continued to explore the source, while the hacker started demanding ransoms in exchange for not releasing sensitive information. Ubiqiuti told the public and its investors in February of both the breach and the ransom, which they had not paid. More investigation by Ubiquiti led them to believe an insider performed the hack, which resulted in them turning the matter over to the FBI for investigation. The insider, Nickolas Sharp, was investigated and charged with the crimes of theft and extortion. However, during the investigation, Sharp decided to promote his claim of a whistleblower exposing a cover-up via Krebs, who interviewed him for his blog. The article referred to Sharp as a source named “Adam”, who failed to mention that he was the blackmailer and the inside threat, while claiming Ubiquiti was covering up an outside attack, through mischaracterization and keeping information from its stakeholders.
The interview ran in Krebs’ blog on March 30th, after the search warrant was executed on Sharp’s property but before he was formally charged, which didn’t take place until October. Ubiquiti contends (for the sake of brevity I am summarizing) that Krebs implied that Sharp (alias Adam) was credible and knew he wasn’t, that Krebs’ wide circulation caused others to report this or a similar story, and that Krebs, had he done his homework, should have known that Ubiquiti disclosed the breach weeks earlier. Krebs also wrote another article on the matter later on without noting that “Adam” had actually been charged. Here is the link to the article for those that want to analyze for themselves:
Defamation elements are straightforward:
A false communication made to a third person made by another, who knew or should have known the communication was false but didn’t exercise reasonable care, which caused damages to the plaintiff. What we do not know is where that needle of reasonable care standards, in the eyes of a court, should rest and what other information Krebs may have used to corroborate Sharp’s story.
The case has correlations to similar stories that come through the national security workforce, where individuals leak classified information and then later claim whistleblower status. There is a loose track record of holding publications responsible for noting or knowing the difference, but the Krebs defamation lawsuit will shine a spotlight on the evolving world of insider threats and cyber breaches.