The bogus expert and social media chicanery of DC’s top cyber think tank

No, you can't block a zero-day.

Like viruses, cybersecurity charlatans are incidental guests in the body of infosec. These men sell false expertise, conspiracy theories, and invisible security potions and they are as unintentionally hilarious as they are alarming. Case in point: BuzzFeed's exposé of James Scott, cofounder of Washington DC's big cybersecurity think tank, ICIT (Institute for Critical Infrastructure Technology).

With "at least 45 fake Twitter accounts being used to amplify ICIT content and Scott's book, as well as a group of fake YouTube accounts that upload and like ICIT videos." The think tank eventually verified in writing to BuzzFeed that it does, in fact, operate the twitter accounts in question. Twitter has since suspended 11 of the accounts. When we reached out for comment, Scott replied:

ICIT had outsourced its social media management to overseas contractors. I've apologized and regret not managing them more vigilantly at the time. I voluntarily resigned my duties at ICIT so that ICIT was not impacted.

While at ICIT, I wrote several books which we gave away for free so that "cost" never stopped people from accessing the data. I never charged for public speaking engagements or public sector advisory to critical infrastructure organizations due to my deep conviction to help secure our Nation from cyber attack

The thing about cyber and digital decepticons is, all you usually need to do is give them enough rope and they pretty much hang themselves — which, along with some great investigative reporting, is what BuzzFeed did. And "A DC Think Tank Uses Fake Twitter Accounts And A Shady Expert To Reach The NSA, FBI, And White House" is a great story. But it comes with an even more insane backstory.

It started when BuzzFeed journo Craig Silverman noticed a random Twitter reply from the cofounder of ICIT, which appeared to have a lot of spammy support. Silverman looked closer, unearthing numerous bot accounts pushing Scott's recent self-published book on cyber information warfare.

Artificial influencer

Bizarrely, one of the connecting threads was a unique insult: Scott calling Silverman a "mind midget" (used when the reporter started asking uncomfortable questions). Scott's distinctive misuse of "mental midget" started Silverman down a rabbit hole of sock puppets using the same insult and phrasing, leading to aliases, unsubstantiated claims of bestselling books, a career as a cybersecurity expert that only began in 2013, and (prior to that) a variety of shady startups — including one that sold automated social media boosting.

"He also placed incredibly fawning articles about himself on sites that seemed to exist to improve his SEO," Silverman tweeted. "Fast forward to now and he's still doing that," he added. "Along with the bots that retweet brooding memes of him, there are the fake YouTube accounts that upload ICIT videos of Scott and also leave comments that declare him to be a genius."

After Scott cut off contact with Silverman, the ICIT cofounder was quick to publish a tweet saying that "journalists on Russian/Chinese payroll who are targeting us for exposing them in my Information Warfare book."

That all of this is married to an influential DC cybersecurity think tank struck Silverman as alarming — as it should. "But it seems no one checked on [Scott's] credentials or looked closely at his background," he tweeted.

To which we say, "Welcome to cybersecurity!"

Look: I know we're living in the stupid timeline, the one where the normal and the abnormal are all blurred together.

Especially in Washington DC. It's where John Bolton (no cyber experience) eliminates terrifyingly necessary cyber positions in the White House. Where Jared Kushner (no cyber experience) is Cyber Commandant, and for a while Rudy Giuliani (no cyber experience) was named Donald Trump's official presidential cybersecurity adviser. It's also a fetid warp in space and time where US Deputy Attorney General Rod Rosenstein makes up phrases like "responsible encryption" in order to pretend he has knowledge of a way to backdoor encryption in a totally secure way.

But con artist reward and success is horribly normal for infosec. It has been for ages — look no further than respected indie site Attrition's long-running and oft-referenced Charlatans page. On it, there's nearly a decade of researched and citation-heavy documentation of sketchy technical experts, infosec journalists, companies, and bogus crowdfunding campaigns. All trading on buzzwords in place of knowledge and experience, selling books and events, pushing fear, and ruled by spiteful ego.

Infosec has a vulnerability

The cyber snake oil salesman is a permanent fixture of the industry, much to the chagrin of those working in the trenches and seeing through the charades. Because we often cope with abuse through humor, infosec attempts to cling to sanity with parodies like @SecSnakeOil, Threatbutt, and this year's new addition the F.A.K.E. Security patent-pending line of cybersecurity solutions — literally dressing up and selling products at security conventions packaged as old-timey snake oil potions.

The problem is that everyone uses security but no one understands it. When an industry is like magic voodoo to the world at large, and the industry's knowledgeable inhabitants are hereditarily misanthropic, you have the exact scientific formula for all sorts of wankers to come in and be big stinky assholes, ruining everything they touch.

That's not to say ICIT has ruined anything — but wow, do we have a lot of questions now about their research, citations, experience, vetting, connections, advising, and, well, everything else. James Scott, ICIT's senior fellow and cofounder and the whole reason BuzzFeed even looked into this, is its top expert.

Under the auspices of ICIT last month, James Scott recently downplayed Russian troll armies to Forbes. Scott, as ICIT, told respected-in-infosec outlet CSO last year that AI could "crush" ransomware and would slay the healthcare ransomware dragon, while telling ZDNet that IoT was somehow going to be ransomware's next Pearl Harbor. In another WTF example, Scott-as-ICIT chose the months leading up to 2016's presidential election -- when Russian trolls and propaganda had become a five-alarm fire -- to tell MSNBC that "Islamic terrorists" were about to attack and "The 'cyber jihad' is coming."

Fire up your conspiracy engines

Aside from the incredibly spammy activity around him, the bulk of Scott's cybersecurity work is ... odd. Take for instance his book "Cybersecurity 101: What You Absolutely Must Know! – Volume 1: Learn how not to be Pwned, Thwart Spear Phishing and Zero Day exploits, Cloud security basics and much more." The book's description claims it will tell readers "how to block Zero Day exploits" -- a claim that makes literally zero sense. It's not too surprising, then, that the review rated "most helpful" straight-up says that all the book's positive reviews must be fake.

Scott's latest book ("Information Warfare: The Meme is the Embryo of the Narrative Illusion") is being heavily promoted by ICIT and on its website, stating in its front matter that "this powerful philosophy is the bedrock of [ICIT]." It's a fairly schizophrenic conspiracy book about cyber attackers and memes, positioned firmly against the "Corporate Nation State censorship collective."

The thick rant includes gems about political correctness as "a loaded gun that the individual holds to their own head" that "normalizes the abnormal and is an elitist weapon over minions." Its dedication, to Scott's sons, warning them of a battle "to construct an artificial universe of foreign ideas in your Minds" and pleads that they "emancipate your minds from the matrix" so they can "carry on the Great Work." Which doesn't at all conjure worrying influences of red pill ideology or Nazi "Great Work" occultism steering DC's top cyber think tank. As you might've guessed, ICIT's new book by its cyber expert includes mentions of "radical online collectives, such as the Muslim Brotherhood or antifa," categorizing anti-fascists as "Ideological Domestic Terrorists."

You may wonder what all that has to do with cybersecurity and ICIT, which is promoting every bit of it to leaders from the Department of Homeland Security, the NSA, the current assembly of frothing weirdoes in the White House, the FBI, and the public at large.

What it has to do with directly is James Scott. What it has to do with in regard to infosec in leadership positions steering the course of this shattered country is at once absurd and a sign that everyone is really not okay.

Images: Library of Congress (Snake oil salesman); Getty Images (Looking through blinds)