Former CISA and NCSC Leaders Caution Against the Glamorization of Threat Actor Names

The former leaders of key cybersecurity agencies in the US and UK have emphasized the need for significant reforms in the naming conventions of cyber threat actors. This discussion has gained traction as cyber attribution and the labeling of threat actors have been contentious topics in cybersecurity for years, notably since the influential 2013 report by Mandiant, which identified APT1 as a Chinese cyber espionage unit.

Since that landmark report, various threat actors have been categorized under diverse designations; some organizations rely on generic alphanumeric identifiers, while others adopt more imaginative or sensational names. This has led to calls for a standardized, vendor-neutral taxonomy that would facilitate global consistency and interoperability.

Ciaran Martin, the inaugural director of the UK’s National Cyber Security Agency (NCSC), and Jen Easterly, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), highlighted in a recent publication the drawbacks of glamorizing threat actor names. They advocated for a taxonomy devoid of embellishments, aimed at accurately reflecting the nature of the threats posed by cybercriminals and state-sponsored actors.

Martin and Easterly outlined several significant issues stemming from the current naming practices:
– Impracticality: The absence of an industry-standard taxonomy hampers the ability of Security Operations Centers (SOCs) and incident response teams to respond uniformly and efficiently, leading to delays and confusion in managing cyber incidents.
– Obscured Attribution: Existing naming conventions can obscure the identities of threat actors, complicating the understanding of their motivations and affiliations. For instance, similarly-sounding names may refer to distinct threats, which can mislead stakeholders.
– Public Confusion: Codenames like “Fancy Bear” and “Volt Typhoon” often mystify the public, hindering awareness of the genuine risks involved.
– Glamorization of Adversaries: The tendency to depict threat actors as “cartoon villains” detracts from the serious nature of cyber threats and downplays the impact of their actions.
– Marketing Over Substance: Current naming practices are often aimed more at corporate branding than at facilitating clarity in cybersecurity discussions.

In light of recent high-profile cyber incidents in the retail sector, including attacks on significant UK retailers, the authors criticized the use of sensationalized names in media reporting as detrimental to public understanding of the threats involved.

They acknowledged previous efforts to create standardized naming systems have often fallen short but welcomed a recent initiative by Microsoft and CrowdStrike aimed at better aligning their naming conventions for threat actors. This collaborative effort, which includes input from other cybersecurity organizations, is viewed as a promising step, yet the former agency heads insist that true reform requires a comprehensive overhaul rather than mere alignment of proprietary names.

The authors called on governments to collaborate with private sector stakeholders to establish a universal threat actor naming system that avoids sensationalism, advocating for straightforward identifiers, such as the countries associated with these threats, instead of using metaphorical names.

They contended that the notion of standardizing naming conventions is not only feasible but has been accomplished in various fields, such as medicine and defense, citing examples like NATO’s universal designation systems for military assets and standardized classifications in healthcare.

This call for reform is a significant step toward more effective communication about cyber threats, ultimately aiding organizations and the general public in better understanding and responding to the evolving landscape of cyber risks.