A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.
Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government.
Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
“They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”
Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.
“With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.
Filiol said his research is now classified. “I will present it only to people of the French government in forthcoming days,” Filiol said.
Event organizer Ruiu announced Filiol’s withdrawal on Twitter yesterday, initially blaming the French Department of the Interior, the equivalent of the U.S. Department of Homeland Security, and the U.S. Department of Defense, for Filiol pulling out.
“I’d like to remind all concerned: Security by obscurity is not much security at all,” Ruiu tweeted.
Filiol said he gave in, not only for legal, but also moral reasons.
“Moreover aside the legal responsibility, I have to face a moral responsibility if someone was misusing [this] information against innocent citizens,” Filiol said. “The presentation was very precise with a lot of details. Of course I could not give those details, but it is the problem of proof and attendees would claim that my work was of theoretical interest only (it is often the way that decision-makers elude the real risks).”
Filiol’s talk is still listed on the CanSecWest agenda in its original time slot on Friday morning, but Ruiu said it will be replaced by a runner up talk organizers had to originally turn away.
“So it is indeed censorship, but self-censorship inspired by legal and moral reasons,” Filiol said. “As long as full disclosure will be risky, then this kind of decision is preferable.”