On the Internet, no one knows you're an authoritarian government

Did you read the recent story about how Google has been notifying Gmail users that their e-mail accounts were under siege by "state-sponsored attackers?" I did, and it's deeply concerning.

As the New York Times reported, tens of thousands of Google users began receiving notices that their Google and Gmail accounts were "at risk of state-sponsored attacks." A slew of what the Times described as "American journalists and foreign policy experts" received the warnings and -- things being what they are -- immediately took to Twitter to pass the news along. The account alerts are part of an initiative, launched by Google in June, to alert its users when the search giant detects evidence that specific accounts have become entangled in global, nation-state backed cyber espionage campaigns.

Salted Hash: CSO Managing Editor Bill Brenner on why he dislikes the use of 'APT' in marketing pitches

As I said: it's deeply concerning but, well, not really news. In fact, what first drew my eyes to the story was the sneaking suspicion that I'd written an almost identical story some time long ago. A couple quick searches confirmed it: September 23, 2010: " Google Warning Gmail users on China Spying Attempts." The details in that story were pretty much the same as the latest round of coverage: journalists and human rights activists were logging onto their Google accounts and finding out that they had been accessed from abroad I interviewed a victim, Alexander Hanff, who works for Privacy International in the UK. Hanff had recently given a speech at a EU-China Human Rights Network seminar that was attended by high-level officials of the Chinese government. Possibly a coincidence -- but who are we kidding, right?

Even two years ago I was late to the story. My then-colleague Ryan Naraine reported on Google's addition of "suspicious log-in alerts" back in March of the same year. Those alerts notified users when their account was accessed from a suspicious IP address in a suspicious country The story got revamped in June, when Google said it would refine its warnings to call out "state-sponsored attacks" against accounts when they occur. Then, a whole bunch of people got said warnings, and the new cycle started all over again.

In-depth: " What does APT really mean?"

How can we explain this? My opinion is that the security industry's penchant for speaking euphemistically about cyber threats has grown in proportion to the threats, themselves. And, at this late date, I've finally arrived at a point of absurdity. The language we use to talk about the phenomenon of "cyberattacks" has become impossibly opaque and that opacity clouds our understanding of the problem that's right before us. Speaking so vaguely about so many threats for so long, we've lost the ability to even understand what we're talking about and discern what's news and what isn't.

After all, what has really changed in two years? Google went from alerting users about "suspicious log-ins" from foreign countries, to alerting them and naming those countries without ascribing any motive to the attack ("Your account was accessed from China"), to alerting them, naming the country and warning that the hack might be part of a "nation-based" attack -- as if your average Gmail user has any clue what that means, or why they should care.

Nowhere is the penchant for euphemism more evident than in the now-widespread use of the term "APT" or "advanced persistent threat." Almost unknown outside of military and intelligence circles three years ago, APT now graces the pages of countless marketing brochures and Web pages for IT security firms. Formulated as a way for individuals within the military to talk about sophisticated and deeply rooted compromises with links to nation-state actors like China and Russia, the term has grown to encompass all manner of threats: from cybercriminal botnets to the Stuxnet worm. In short: APT means everything and nothing. It's the perfect cyber foil: scary sounding but vague. It's ready-made for marketing collateral, if not to explaining who- or what was behind an attack.

Those in the know, like Richard Beijtlich of the firm Mandiant, cautioned all along that APT wasn't some catch-all term. APTs, Bejtlich argued, were a "who" with specific state actors in mind, not a loosely defined "what." The term shouldn't be used interchangeably with other online scourges like spam, phishing and botnets, he said. Not that anyone listened.

Now, after beating the APT drum for years, the industry seems ready to move on. As Google's ever-shifting alerts suggest: The new mantra isn't APT, but "state-sponsored attacks" or, as Bejtlich calls them "state-serving adversaries." That sits well with the zeitgeist inside the Washington D.C. beltway, which is eager to point the finger of blame at shadowy actors in the Middle Kingdom while turning a blind eye to the ever-sensitive topic of what steps the U.S. government and private sector are (or -- more accurately -- are not) taking to protect their IT assets and staff. But it's hard to see how piling on more euphemisms like "state serving adversaries" does much to clarify our understanding of current attack methods or how to combat them.

Yes, Google now says it has better methods to spot nation-state sponsored hacks (and thus more victims to warn). There's evidence that the latest attacks are more diverse -- some coming from the Middle East, in addition to China. And, I suppose that calling the compromises "nation-backed' attacks is progress, of a sort -- a baby step in the direction of more transparency as to motive and origin. But what proof does Google have? The company said it "can't go into the details" of how it knows the attacks are nation-state backed "without giving away information that would be helpful to these bad actors." How convenient.

So what am I proposing? I propose we strive in all cases for clarity and exactness in talking about attacks -- nation backed or otherwise. Whenever possible, we should avoid euphemistic terms like APT and "state sponsored actors" and speak, instead, of what we know for sure, and what we don't. Let's forget about the Spy vs. Spy "I could tell you but then I'd have to kill you" stuff.

If you're Google, don't say: "Your account may have been the target of a nation-backed attack."

Instead, how about:

"Hey, Gmailer! We noticed that you were sent an e-mail message that contained a link to a malicious Web site hosted in [COUNTRY]. We can tell you that the same server has been used in other attacks against Gmail accounts starting on [DATE]. The people targeted all appear to have ties to [AFFILIATION].

We can't tell you much about who or what is behind the phishing e-mail, but we can tell you that those attacked were infected with [MALWARE]. You should alert your employer about receiving this message. We also recommend you change your password to Gmail and other connected accounts, scan your computers for viruses and seriously consider adopting two-factor authentication to protect your accounts! Sorry!"

Verbose, I know. But sometimes less isn't more -- it's less.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsstate-backed attackslegalsoftwaretwitterdata protectioncybercrimeGmailAPTnew york timesData Protection | MalwareGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Roberts

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts