The danger of misconstruing the most serious security threats

Unlike in politics, it’s rather important in the world of cybersecurity that words and labels mean something specific. Routinely mislabeling hacking and other incidents of computer mischief could lead to overreactions to garden-variety illicit activity or a tendency to downplay the need for a new kind of response to truly dangerous threats.

For example, many experts cringe at how loosely the term “cyber war” is thrown around when a foreign state is the suspected culprit behind a hack or information theft from a government computer. The more accurate label for those kinds of cases is espionage, and that falls well short of an act that justifies retaliation via cruise missile.

On the flip side, experts fear that agency officials might get lulled into a false sense of security due to the misuse of the term “advanced persistent threat,” an increasingly popular label for a highly sophisticated and determined form of hacking — like the campaign that hit security vendor RSA and several defense contractors this past spring.

One instructive example is the case of Stuxnet, the virus that infected industrial control equipment used by countries around the world and, most importantly, by Iran’s nuclear program.

When news of the Stuxnet virus broke last summer, some security experts were reluctant to label it as APT, even though many in the press did so anyway. The virus was certainly advanced; it used an impressive array of hacking techniques, some of which were redundant in case certain tactics failed.

But Stuxnet didn’t seem particularly well targeted because it affected equipment in many countries. More important to the truth-in-APT-labeling game, it didn’t seem to be persistent. Some experts initially saw no evidence of the perpetrator trying to maintain long-term control and access to the infected systems, so they didn’t call Stuxnet APT.

But many vendors did, and they seized on Stuxnet’s high-profile notoriety as an opportunity to sell security products. “It became a marketing buzzword for products that say, ‘We can help stop APT,’” said Dale Peterson, CEO of Digital Bond, a control system consulting and research firm.

After a few months, Peterson and others learned more about how Stuxnet worked and saw designs for persistence, so they began to call it APT after all, as most do now.

However, the mislabeling of other hacking events goes on. “The problem we now have in IT and control systems is anything that does damage and is potentially advanced gets lumped into this APT category,” Peterson said.

That overly liberal use of the APT label diminishes the distinctiveness and value of the concept and affects how organizations defend themselves, Peterson and others said. APT does not describe a class of viruses or hacking techniques, and it cannot be defeated by a single product in a shrink-wrapped box. APT is about the actors behind those exploits — their objectives, resources and patience.

Consequently, when agencies — and let there be no doubt that all of government is a target of APT — assess the risks they face from a threat of this nature, their focus should be quite different from the traditional Whac-A-Mole cybersecurity approach most now take, which focuses on keeping up with the latest software patches and antivirus signatures.

RSA has a good security brief about the steps involved in defending against APT. (Don’t snicker; if anything, the RSA hack shows that anyone can be victimized.) Although the first step sounds simple, many organizations have never done it: Identify which information assets you value most because chances are those are the ones APT is coming after.

“You need to focus on what’s important on your network rather than trying to secure everything to the highest level,” Peterson said.

Building the capabilities to support that kind of security approach will not be easy, but the process can’t start if executives don’t first recognize exactly what kind of threat they’re facing.