The danger of misconstruing the most serious security threats

Unlike in politics, it’s rather important in the world of cybersecurity that words and labels mean something specific. Routinely mislabeling hacking and other incidents of computer mischief could lead to overreactions to garden-variety illicit activity or a tendency to downplay the need for a new kind of response to truly dangerous threats.

For example, many experts cringe at how loosely the term “cyber war” is thrown around when a foreign state is the suspected culprit behind a hack or information theft from a government computer. The more accurate label for those kinds of cases is espionage, and that falls well short of an act that justifies retaliation via cruise missile.

On the flip side, experts fear that agency officials might get lulled into a false sense of security due to the misuse of the term “advanced persistent threat,” an increasingly popular label for a highly sophisticated and determined form of hacking — like the campaign that hit security vendor RSA and several defense contractors this past spring.

One instructive example is the case of Stuxnet, the virus that infected industrial control equipment used by countries around the world and, most importantly, by Iran’s nuclear program.

When news of the Stuxnet virus broke last summer, some security experts were reluctant to label it as APT, even though many in the press did so anyway. The virus was certainly advanced; it used an impressive array of hacking techniques, some of which were redundant in case certain tactics failed.

But Stuxnet didn’t seem particularly well targeted because it affected equipment in many countries. More important to the truth-in-APT-labeling game, it didn’t seem to be persistent. Some experts initially saw no evidence of the perpetrator trying to maintain long-term control and access to the infected systems, so they didn’t call Stuxnet APT.

But many vendors did, and they seized on Stuxnet’s high-profile notoriety as an opportunity to sell security products. “It became a marketing buzzword for products that say, ‘We can help stop APT,’” said Dale Peterson, CEO of Digital Bond, a control system consulting and research firm.

After a few months, Peterson and others learned more about how Stuxnet worked and saw designs for persistence, so they began to call it APT after all, as most do now.

However, the mislabeling of other hacking events goes on. “The problem we now have in IT and control systems is anything that does damage and is potentially advanced gets lumped into this APT category,” Peterson said.

That overly liberal use of the APT label diminishes the distinctiveness and value of the concept and affects how organizations defend themselves, Peterson and others said. APT does not describe a class of viruses or hacking techniques, and it cannot be defeated by a single product in a shrink-wrapped box. APT is about the actors behind those exploits — their objectives, resources and patience.

Consequently, when agencies — and let there be no doubt that all of government is a target of APT — assess the risks they face from a threat of this nature, their focus should be quite different from the traditional Whac-A-Mole cybersecurity approach most now take, which focuses on keeping up with the latest software patches and antivirus signatures.

RSA has a good security brief about the steps involved in defending against APT. (Don’t snicker; if anything, the RSA hack shows that anyone can be victimized.) Although the first step sounds simple, many organizations have never done it: Identify which information assets you value most because chances are those are the ones APT is coming after.

“You need to focus on what’s important on your network rather than trying to secure everything to the highest level,” Peterson said.

Building the capabilities to support that kind of security approach will not be easy, but the process can’t start if executives don’t first recognize exactly what kind of threat they’re facing.

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • FCW @ 30 GPS

    FCW @ 30

    Since 1996, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Thu, Aug 11, 2011 Fred Seattle

Article would be of more value if it contained a link to a "authorative" reference of terms to classify security incidents. Do you know of one?

Thu, Aug 11, 2011 John Denver

This is a refreshing take on threat vs hype. Too often, 'security experts' waste a huge amount of (our) time and resources on pursuits that the real problem makers would circumvent...Thank you for your focus and accuracy (The RSA article was a great one too).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group