Telstra's chief information security officer Mike Burgess has delivered a withering attack on organisations that focus too much on attributing cyber attacks, or blame the 'sophisticated' attackers for their networks being hacked.
"The discussion and debate that occurs here takes away from focusing on the human element of this problem, and [from] understanding the root cause," Burgess told Check Point's Cyber Security Symposium in Sydney on Tuesday.
"Don't get me wrong at this point. I'm not saying that attribution isn't important. I'm not saying that issues of source, great technical intelligence, and other forms of intelligence to understand the threat and the intentions of those looking to steal information from you, or disrupt your organisation for some purpose that may be unknown to you, [are not important]," he said.
"But what I observe, what I fear, what I see too much of, is many commentators, many in the industry, and many in media, focus on attribution, with very little focus on the root cause. No-one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age. And I've got to tell you -- my view at least -- too much of this distraction around attribution takes away from focusing on what's really important here."
Burgess referred to this wrong-headed focus as "attribution distraction" and "threat distraction. He illustrated his point with some of the language used by companies to explain away massive data breaches.
After the Home Depot breach, for example, the company said: "The malware used in the attacks had not been seen in any prior attack, and was designed to evade detection by anti-virus software."
"Really?" said Burgess with dripping sarcasm, to audience laughter. "I mean, really?"
After the Anthem breach, that company said: "We have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack."
"Really?" said Burgess again. "I'm not meaning to disparage others, because I know this is a hard challenge. But really, when I see language like that, the use of the word 'sophisticated', I do worry."
Attribution distraction was at "fever pitch" in the aftermath of the Sony Pictures hack, Burgess told the conference.
"You see language like this: 'a brazen cyber attack'. Well, maybe I'd agree with them on that one. But interestingly, in an internal memo: 'unprecedented in nature' [and] 'the malware was undetectable by industry-standard anti-virus software'.
"Really? Here we go again: 'The attack was an unparalleled and well-planned crime carried out by an organised group, for which Sony Pictures nor other companies could have been fully prepared'," he said.
"Well, excuse me for saying this, but actually, it is a reasonably foreseeable event that someone will attempt to hack your organisation to steal data from you, or someone will attempt to hack your organisation to disrupt your organisation. I disagree with Sony in that comment. You have to be prepared. You've got no excuses."
Burgess pointed out that in most of the major breaches, there was a root cause with a known remedy for that vulnerability or weakness. We know that socially-engineered emails arrive with a malicious attachment, or with a link to a web-based exploit of a known vulnerability. We know about the exploitation of vulnerable web-facing code."For 99.999 percent of that, there is a known remedy, and we must focus on that. These threats aren't new. They're not going to go away. We have to take them seriously."
Burgess also spoke out against an excessive focus on technological measures. He understands that technology is important, and that much more can be done. But managing the risk requires an understanding of the human element, something which is "just as important".
"If anyone thinks that this is a problem brought about by technology, and solvable by technology alone, I'm sorry, but I've got news for you. That will take away from you being able to effectively manage this risk," Burgess said.
"Cybercrime is just a crime, cyber espionage is just espionage, hacktivism is just protest," he said.
"[But] in this day of connectivity and continuous uptake in technology, ... crime, protest, espionage, and even mistakes, happen at a pace, scale and reach which is unprecedented." And so can their impact."This is the reality that we must deal with."
Burgess outlined how Telstra structures its approach to dealing with this reality using it's "Five Knows of Cyber Security", a framework that Telstra has been presenting both internally and externally over the last six months.
Telstra's Five Knows of Cyber Security are detailed in the company's Cyber Security Report 2014 (PDF).