With "at least 45 fake Twitter accounts being used to amplify ICIT content and Scott's book, as well as a group of fake YouTube accounts that upload and like ICIT videos." The think tank eventually verified in writing to BuzzFeed that it does, in fact, operate the twitter accounts in question. Twitter has since suspended 11 of the accounts. When we reached out for comment, Scott replied:
ICIT had outsourced its social media management to overseas contractors. I've apologized and regret not managing them more vigilantly at the time. I voluntarily resigned my duties at ICIT so that ICIT was not impacted.
While at ICIT, I wrote several books which we gave away for free so that "cost" never stopped people from accessing the data. I never charged for public speaking engagements or public sector advisory to critical infrastructure organizations due to my deep conviction to help secure our Nation from cyber attack
The thing about cyber and digital decepticons is, all you usually need to do is give them enough rope and they pretty much hang themselves — which, along with some great investigative reporting, is what BuzzFeed did. And "A DC Think Tank Uses Fake Twitter Accounts And A Shady Expert To Reach The NSA, FBI, And White House" is a great story. But it comes with an even more insane backstory.
It started when BuzzFeed journo Craig Silverman noticed a random Twitter reply from the cofounder of ICIT, which appeared to have a lot of spammy support. Silverman looked closer, unearthing numerous bot accounts pushing Scott's recent self-published book on cyber information warfare.
Bizarrely, one of the connecting threads was a unique insult: Scott calling Silverman a "mind midget" (used when the reporter started asking uncomfortable questions). Scott's distinctive misuse of "mental midget" started Silverman down a rabbit hole of sock puppets using the same insult and phrasing, leading to aliases, unsubstantiated claims of bestselling books, a career as a cybersecurity expert that only began in 2013, and (prior to that) a variety of shady startups — including one that sold automated social media boosting.
"He also placed incredibly fawning articles about himself on sites that seemed to exist to improve his SEO," Silverman tweeted. "Fast forward to now and he's still doing that," he added. "Along with the bots that retweet brooding memes of him, there are the fake YouTube accounts that upload ICIT videos of Scott and also leave comments that declare him to be a genius."
After Scott cut off contact with Silverman, the ICIT cofounder was quick to publish a tweet saying that "journalists on Russian/Chinese payroll who are targeting us for exposing them in my Information Warfare book."
That all of this is married to an influential DC cybersecurity think tank struck Silverman as alarming — as it should. "But it seems no one checked on [Scott's] credentials or looked closely at his background," he tweeted.
To which we say, "Welcome to cybersecurity!"
Look: I know we're living in the stupid timeline, the one where the normal and the abnormal are all blurred together.
Especially in Washington DC. It's where John Bolton (no cyber experience) eliminates terrifyingly necessary cyber positions in the White House. Where Jared Kushner (no cyber experience) is Cyber Commandant, and for a while Rudy Giuliani (no cyber experience) was named Donald Trump's official presidential cybersecurity adviser. It's also a fetid warp in space and time where US Deputy Attorney General Rod Rosenstein makes up phrases like "responsible encryption" in order to pretend he has knowledge of a way to backdoor encryption in a totally secure way.
But con artist reward and success is horribly normal for infosec. It has been for ages — look no further than respected indie site Attrition's long-running and oft-referenced Charlatans page. On it, there's nearly a decade of researched and citation-heavy documentation of sketchy technical experts, infosec journalists, companies, and bogus crowdfunding campaigns. All trading on buzzwords in place of knowledge and experience, selling books and events, pushing fear, and ruled by spiteful ego.
Infosec has a vulnerability
The cyber snake oil salesman is a permanent fixture of the industry, much to the chagrin of those working in the trenches and seeing through the charades. Because we often cope with abuse through humor, infosec attempts to cling to sanity with parodies like @SecSnakeOil, Threatbutt, and this year's new addition the F.A.K.E. Security patent-pending line of cybersecurity solutions — literally dressing up and selling products at security conventions packaged as old-timey snake oil potions.
The problem is that everyone uses security but no one understands it. When an industry is like magic voodoo to the world at large, and the industry's knowledgeable inhabitants are hereditarily misanthropic, you have the exact scientific formula for all sorts of wankers to come in and be big stinky assholes, ruining everything they touch.
That's not to say ICIT has ruined anything — but wow, do we have a lot of questions now about their research, citations, experience, vetting, connections, advising, and, well, everything else. James Scott, ICIT's senior fellow and cofounder and the whole reason BuzzFeed even looked into this, is its top expert.
Under the auspices of ICIT last month, James Scott recently downplayed Russian troll armies to Forbes. Scott, as ICIT, told respected-in-infosec outlet CSO last year that AI could "crush" ransomware and would slay the healthcare ransomware dragon, while telling ZDNet that IoT was somehow going to be ransomware's next Pearl Harbor. In another WTF example, Scott-as-ICIT chose the months leading up to 2016's presidential election -- when Russian trolls and propaganda had become a five-alarm fire -- to tell MSNBC that "Islamic terrorists" were about to attack and "The 'cyber jihad' is coming."