Infosec news cycles: How quickly do they fade?

Short cycles, long remediations

There are multiple possible reasons for this "short" public attention span. The first involves the nature of the modern news cycle -- something that extends far beyond infosec.

Newslifespan.com, a collaborative project between Google Trends, Axios and digital design firm Schema, tracked major news stories throughout 2018 in order to study how news enters and leaves the public consciousness. Big stories generally lasted for a week; some lasted a few weeks and some a few days, but the so-called "attention economy" appears to exist whether the news is about a server bug or a blood moon.

One commonality between the cybersecurity and non-cybersecurity news cycles is that both are heavily influenced by how new something is, Malwarebytes threat intelligence researcher Roberto Santos said.

"New things usually get more attention in any area, not just cybersecurity," Santos said. "During the first days of a vulnerability's active exploitation, everyone talks about, detects and responds to it, but after a while it becomes a normal security issue and fewer people talk about it."

That said, there are key differences between a big vulnerability and most one-off news events. For one, the story of a vulnerability never ends when it's disclosed -- it's often just the beginning. Thanks to reasons like imperfect patching rates, servers can be vulnerable to attacks in the months and years following an initial bug report, and threat actors regularly launch new campaigns against years-old vulnerabilities.

Guillermo Christensen, a partner with law firm Ice Miller who specializes in cybersecurity incidents, referred to this as a "lag effect."

"The full impact of [a major vulnerability] won't really be written for years to come," he said. "Which is to say, there are going to be things we're going to pick up on like breaches in two or three years that we won't know about until then, but the source will without a doubt be [the vulnerability]."

When a threat actor attacks a large organization via a vulnerability, the victim may not know it was attacked for another year thanks to dwell time. Incident response and disclosure further extend the timeline, by which point it would no longer be connected to any initial vulnerability news cycle -- hence, a lag effect.

This could be one reason why only a few major breach disclosures appear in the weeks following an event.

The small number of post-vulnerability breach disclosures could also be due to the fact that breaches or attacks against smaller companies rarely reach the public consciousness. Brian Martin, vice president of intelligence at Risk Based Security, said big companies dominate the news cycle not only because of their prominence, but also the expectations that go along with being a massive enterprise.

"The big names rise to the top because in our minds, whether it's reality or not, we say, 'Wow, they have a billion-dollar profit. They should have the resources to stop this, right?'" he said. "The reality is that there's a lot of technical debt, that the company has over 5 million endpoints, and that there are no security solutions that do everything at once. They're trying to juggle 87 different products and vendors to create this hybrid, weird, blended solution that still has huge gaps."

Santos stressed that a vulnerability's presence in the news cycle does not necessarily equate to that flaw's threat level.

"When a vulnerability has become normal, some companies think that it is not an issue anymore and they stop paying attention to it, but the truth is that it is still a big issue and can affect a lot of companies even if it stops hitting the news," he said. "On the other hand, a vulnerability not being in the news does not mean companies are not working on it."

Alexander Culafi is a writer, journalist and podcaster based in Boston.