The danger of misconstruing the most serious security threats

Unlike in politics, it’s rather important in the world of cybersecurity that words and labels mean something specific. Routinely mislabeling hacking and other incidents of computer mischief could lead to overreactions to garden-variety illicit activity or a tendency to downplay the need for a new kind of response to truly dangerous threats.

For example, many experts cringe at how loosely the term “cyber war” is thrown around when a foreign state is the suspected culprit behind a hack or information theft from a government computer. The more accurate label for those kinds of cases is espionage, and that falls well short of an act that justifies retaliation via cruise missile.

On the flip side, experts fear that agency officials might get lulled into a false sense of security due to the misuse of the term “advanced persistent threat,” an increasingly popular label for a highly sophisticated and determined form of hacking — like the campaign that hit security vendor RSA and several defense contractors this past spring.

One instructive example is the case of Stuxnet, the virus that infected industrial control equipment used by countries around the world and, most importantly, by Iran’s nuclear program.

When news of the Stuxnet virus broke last summer, some security experts were reluctant to label it as APT, even though many in the press did so anyway. The virus was certainly advanced; it used an impressive array of hacking techniques, some of which were redundant in case certain tactics failed.

But Stuxnet didn’t seem particularly well targeted because it affected equipment in many countries. More important to the truth-in-APT-labeling game, it didn’t seem to be persistent. Some experts initially saw no evidence of the perpetrator trying to maintain long-term control and access to the infected systems, so they didn’t call Stuxnet APT.

But many vendors did, and they seized on Stuxnet’s high-profile notoriety as an opportunity to sell security products. “It became a marketing buzzword for products that say, ‘We can help stop APT,’” said Dale Peterson, CEO of Digital Bond, a control system consulting and research firm.

After a few months, Peterson and others learned more about how Stuxnet worked and saw designs for persistence, so they began to call it APT after all, as most do now.

However, the mislabeling of other hacking events goes on. “The problem we now have in IT and control systems is anything that does damage and is potentially advanced gets lumped into this APT category,” Peterson said.

That overly liberal use of the APT label diminishes the distinctiveness and value of the concept and affects how organizations defend themselves, Peterson and others said. APT does not describe a class of viruses or hacking techniques, and it cannot be defeated by a single product in a shrink-wrapped box. APT is about the actors behind those exploits — their objectives, resources and patience.

Consequently, when agencies — and let there be no doubt that all of government is a target of APT — assess the risks they face from a threat of this nature, their focus should be quite different from the traditional Whac-A-Mole cybersecurity approach most now take, which focuses on keeping up with the latest software patches and antivirus signatures.

RSA has a good security brief about the steps involved in defending against APT. (Don’t snicker; if anything, the RSA hack shows that anyone can be victimized.) Although the first step sounds simple, many organizations have never done it: Identify which information assets you value most because chances are those are the ones APT is coming after.

“You need to focus on what’s important on your network rather than trying to secure everything to the highest level,” Peterson said.

Building the capabilities to support that kind of security approach will not be easy, but the process can’t start if executives don’t first recognize exactly what kind of threat they’re facing.

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Aug 11, 2011 Fred Seattle

Article would be of more value if it contained a link to a "authorative" reference of terms to classify security incidents. Do you know of one?

Thu, Aug 11, 2011 John Denver

This is a refreshing take on threat vs hype. Too often, 'security experts' waste a huge amount of (our) time and resources on pursuits that the real problem makers would circumvent...Thank you for your focus and accuracy (The RSA article was a great one too).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group