On the Internet, no one knows you’re an authoritarian government

Did you read the recent story about how Google has been notifying Gmail users that their e-mail accounts were under siege by “state-sponsored attackers?” I did, and it’s deeply concerning.

As the New York Times reported, tens of thousands of Google users began receiving notices that their Google and Gmail accounts were “at risk of state-sponsored attacks.” A slew of what the Times described as “American journalists and foreign policy experts” received the warnings and — things being what they are — immediately took to Twitter to pass the news along. The account alerts are part of an initiative, launched by Google in June, to alert its users when the search giant detects evidence that specific accounts have become entangled in global, nation-state backed cyber espionage campaigns.

Salted Hash: CSO Managing Editor Bill Brenner on why he dislikes the use of ‘APT’ in marketing pitches

As I said: it’s deeply concerning but, well, not really news. In fact, what first drew my eyes to the story was the sneaking suspicion that I’d written an almost identical story some time long ago. A couple quick searches confirmed it: September 23, 2010: “Google Warning Gmail users on China Spying Attempts.” The details in that story were pretty much the same as the latest round of coverage: journalists and human rights activists were logging onto their Google accounts and finding out that they had been accessed from abroad I interviewed a victim, Alexander Hanff, who works for Privacy International in the UK. Hanff had recently given a speech at a EU-China Human Rights Network seminar that was attended by high-level officials of the Chinese government. Possibly a coincidence — but who are we kidding, right?

Even two years ago I was late to the story. My then-colleague Ryan Naraine reported on Google’s addition of “suspicious log-in alerts” back in March of the same year. Those alerts notified users when their account was accessed from a suspicious IP address in a suspicious country The story got revamped in June, when Google said it would refine its warnings to call out “state-sponsored attacks” against accounts when they occur. Then, a whole bunch of people got said warnings, and the new cycle started all over again.

In-depth: “What does APT really mean?“

How can we explain this? My opinion is that the security industry’s penchant for speaking euphemistically about cyber threats has grown in proportion to the threats, themselves. And, at this late date, I’ve finally arrived at a point of absurdity. The language we use to talk about the phenomenon of “cyberattacks” has become impossibly opaque and that opacity clouds our understanding of the problem that’s right before us. Speaking so vaguely about so many threats for so long, we’ve lost the ability to even understand what we’re talking about and discern what’s news and what isn’t.

After all, what has really changed in two years? Google went from alerting users about “suspicious log-ins” from foreign countries, to alerting them and naming those countries without ascribing any motive to the attack (“Your account was accessed from China”), to alerting them, naming the country and warning that the hack might be part of a “nation-based” attack — as if your average Gmail user has any clue what that means, or why they should care.

Nowhere is the penchant for euphemism more evident than in the now-widespread use of the term “APT” or “advanced persistent threat.” Almost unknown outside of military and intelligence circles three years ago, APT now graces the pages of countless marketing brochures and Web pages for IT security firms. Formulated as a way for individuals within the military to talk about sophisticated and deeply rooted compromises with links to nation-state actors like China and Russia, the term has grown to encompass all manner of threats: from cybercriminal botnets to the Stuxnet worm. In short: APT means everything and nothing. It’s the perfect cyber foil: scary sounding but vague. It’s ready-made for marketing collateral, if not to explaining who- or what was behind an attack.

Those in the know, like Richard Beijtlich of the firm Mandiant, cautioned all along that APT wasn’t some catch-all term. APTs, Bejtlich argued, were a “who” with specific state actors in mind, not a loosely defined “what.” The term shouldn’t be used interchangeably with other online scourges like spam, phishing and botnets, he said. Not that anyone listened.

Now, after beating the APT drum for years, the industry seems ready to move on. As Google’s ever-shifting alerts suggest: The new mantra isn’t APT, but “state-sponsored attacks” or, as Bejtlich calls them “state-serving adversaries.” That sits well with the zeitgeist inside the Washington D.C. beltway, which is eager to point the finger of blame at shadowy actors in the Middle Kingdom while turning a blind eye to the ever-sensitive topic of what steps the U.S. government and private sector are (or — more accurately — are not) taking to protect their IT assets and staff. But it’s hard to see how piling on more euphemisms like “state serving adversaries” does much to clarify our understanding of current attack methods or how to combat them.

Yes, Google now says it has better methods to spot nation-state sponsored hacks (and thus more victims to warn). There’s evidence that the latest attacks are more diverse — some coming from the Middle East, in addition to China. And, I suppose that calling the compromises “nation-backed’ attacks is progress, of a sort — a baby step in the direction of more transparency as to motive and origin. But what proof does Google have? The company said it “can’t go into the details” of how it knows the attacks are nation-state backed “without giving away information that would be helpful to these bad actors.” How convenient.

So what am I proposing? I propose we strive in all cases for clarity and exactness in talking about attacks — nation backed or otherwise. Whenever possible, we should avoid euphemistic terms like APT and “state sponsored actors” and speak, instead, of what we know for sure, and what we don’t. Let’s forget about the Spy vs. Spy “I could tell you but then I’d have to kill you” stuff.

If you’re Google, don’t say: “Your account may have been the target of a nation-backed attack.”

Instead, how about:

“Hey, Gmailer! We noticed that you were sent an e-mail message that contained a link to a malicious Web site hosted in [COUNTRY]. We can tell you that the same server has been used in other attacks against Gmail accounts starting on [DATE]. The people targeted all appear to have ties to [AFFILIATION].

We can’t tell you much about who or what is behind the phishing e-mail, but we can tell you that those attacked were infected with [MALWARE]. You should alert your employer about receiving this message. We also recommend you change your password to Gmail and other connected accounts, scan your computers for viruses and seriously consider adopting two-factor authentication to protect your accounts! Sorry!”

Verbose, I know. But sometimes less isn’t more — it’s less.