The danger of misconstruing the most serious security threats

Unlike in politics, it’s rather important in the world of cybersecurity that words and labels mean something specific. Routinely mislabeling hacking and other incidents of computer mischief could lead to overreactions to garden-variety illicit activity or a tendency to downplay the need for a new kind of response to truly dangerous threats.

For example, many experts cringe at how loosely the term “cyber war” is thrown around when a foreign state is the suspected culprit behind a hack or information theft from a government computer. The more accurate label for those kinds of cases is espionage, and that falls well short of an act that justifies retaliation via cruise missile.

On the flip side, experts fear that agency officials might get lulled into a false sense of security due to the misuse of the term “advanced persistent threat,” an increasingly popular label for a highly sophisticated and determined form of hacking — like the campaign that hit security vendor RSA and several defense contractors this past spring.

One instructive example is the case of Stuxnet, the virus that infected industrial control equipment used by countries around the world and, most importantly, by Iran’s nuclear program.

When news of the Stuxnet virus broke last summer, some security experts were reluctant to label it as APT, even though many in the press did so anyway. The virus was certainly advanced; it used an impressive array of hacking techniques, some of which were redundant in case certain tactics failed.

But Stuxnet didn’t seem particularly well targeted because it affected equipment in many countries. More important to the truth-in-APT-labeling game, it didn’t seem to be persistent. Some experts initially saw no evidence of the perpetrator trying to maintain long-term control and access to the infected systems, so they didn’t call Stuxnet APT.

But many vendors did, and they seized on Stuxnet’s high-profile notoriety as an opportunity to sell security products. “It became a marketing buzzword for products that say, ‘We can help stop APT,’” said Dale Peterson, CEO of Digital Bond, a control system consulting and research firm.

After a few months, Peterson and others learned more about how Stuxnet worked and saw designs for persistence, so they began to call it APT after all, as most do now.

However, the mislabeling of other hacking events goes on. “The problem we now have in IT and control systems is anything that does damage and is potentially advanced gets lumped into this APT category,” Peterson said.

That overly liberal use of the APT label diminishes the distinctiveness and value of the concept and affects how organizations defend themselves, Peterson and others said. APT does not describe a class of viruses or hacking techniques, and it cannot be defeated by a single product in a shrink-wrapped box. APT is about the actors behind those exploits — their objectives, resources and patience.

Consequently, when agencies — and let there be no doubt that all of government is a target of APT — assess the risks they face from a threat of this nature, their focus should be quite different from the traditional Whac-A-Mole cybersecurity approach most now take, which focuses on keeping up with the latest software patches and antivirus signatures.

RSA has a good security brief about the steps involved in defending against APT. (Don’t snicker; if anything, the RSA hack shows that anyone can be victimized.) Although the first step sounds simple, many organizations have never done it: Identify which information assets you value most because chances are those are the ones APT is coming after.

“You need to focus on what’s important on your network rather than trying to secure everything to the highest level,” Peterson said.

Building the capabilities to support that kind of security approach will not be easy, but the process can’t start if executives don’t first recognize exactly what kind of threat they’re facing.

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Thu, Aug 11, 2011 Fred Seattle

Article would be of more value if it contained a link to a "authorative" reference of terms to classify security incidents. Do you know of one?

Thu, Aug 11, 2011 John Denver

This is a refreshing take on threat vs hype. Too often, 'security experts' waste a huge amount of (our) time and resources on pursuits that the real problem makers would circumvent...Thank you for your focus and accuracy (The RSA article was a great one too).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group