In a keynote speech at the Usenix Enigma security conference, Dr Ian Levy, technical director of the UK’s National Cyber Security Centre, claims that cyber security companies play up hackers’ abilities to help them sell security hardware and services.
He likened cyber security firm practice to “witchcraft” with their claims that only they could defeat hackers.
“We are allowing massively incentivised companies to define the public perception of the problem,” he is reported as saying.
“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine.’ It’s medieval witchcraft, it’s genuinely medieval witchcraft.”
His suggestion is that security companies are portraying hackers as evil, hugely skilled masterminds with over emphasised language to describe them.
Often, he eluded to the idea that the majority of the attacks are not very sophisticated. As evidence he cited an attack on an UK telecommunications company last year that was perpetrated by a teenager, using code older than himself.
Finally, he urged businesses to work with – and learn from – the UK’s National Cyber Security Centre (set up four months ago in October) as it had successfully cut the number of threats hitting UK shores, or wires.
This speech was no doubt controversial and would have certainly ruffled some feathers. So it would be interesting to see other cyber security experts make of Levy’s speech.
David Gibson, VP of strategy and market development at Varonis, said “Levy is absolutely right; cybercriminals are not masterminds at all. With 100,000 ransomware attacks per day, it’s clear you don’t need to be a mastermind to do damage. While nation-state attacks are scary, the reality is that companies are woefully unprepared to deal with unsophisticated attacks by any script-kiddie who knows how to browse a network share.”
“He’s not wrong to criticise the cybersecurity industry, because many take a reactive approach to the latest headline threats such as nation-state attackers. Don’t get caught up in the sophisticated hacker and reacting with an expense-in-depth approach—stockpiling the latest security technologies as mentioned in this recent Forrester study .”
>See also: The UK’s new National Cyber Security Centre
“The reality is that most attacks aren’t sophisticated and could be thwarted or mitigated by companies taking a thoughtful approach to data security—what content do I need to protect, who can access it, who is using it and is that normal behaviour. Trust has always been the bedrock of any relationship and that doesn’t change with cybersecurity.”
Stephen Gates, chief research intelligence analyst at NSFOCUS, added “Anyone with little if any cybersecurity knowledge, could easily read the news and quickly realise that hackers are gaining ground at tremendous rates. ”
“In this past year alone, the world witnessed the largest breaches of personal information ever recorded, billions of dollars in cyber-induced financial losses, the largest DDoS attacks ever recorded, ransomware infections impacting nearly every entity on the Internet, extortion demands growing at exponential rates, massive botnets of IoT devices impacting the globe, country-wide ISP outages, and the list goes on-and-on.”
“Security companies don’t need to exaggerate on the problem. Wake up world, it’s all around us, and nearly everyone has been impacted by hackers in some fashion or another.”
Paul Calatayud, CTO at FireMon, said “Dr. Levy focuses on the wrong issue by debating the level of sophistication vendors portray when defining the threat landscape. We live in an era defined by ‘when’ organisations will get breached, not ‘if’ or ‘why.’ In other words, whether these attacks are from highly skilled attackers or not, the simple fact of data breach statistics demonstrates there is a high rate of success from this population. Thus, the concerns of breach and cyber defence strategies to defend it due, in fact, hold a very important level of attention in many organisations.”
“This transcends technology, but technology cannot be avoided. As an example, antivirus in its traditional state is a technology that by the assertion from the AV vendors themselves blocks 40% of malware. Is the attacker sophisticated or not in order to bypass antivirus? As a prior CISO, I don’t care, what I know is it’s possible, it’s happening, and I need to be aware so that I don’t have a false sense of security in terms of my current technologies.”
Similarly, Mark James, IT security specialist at ESET, concluded “We should not in any way underestimate cyber criminals. With so much of our infrastructure running on technology these days we have to treat this type of threat with respect. As more and more of our world becomes connected and capable of sharing, storing and archiving data we should treat security as our number 1 priority.”
“Explaining the problems, threat landscape and measures needed to protect against an evolving “living” threat is not an easy task; too little and people don’t understand they are at risk, too much and people think your scaremongering. Finding the right approach to help someone stay safe against a threat that may or may not happen is not easy and underestimating cyber criminals is not the way to do it.”