Tim Bourgaize Murray: RIP, “APT”

In a world where words and catchphrases drift in and out of style, etymology is all the more important and too often ignored. To wit, and believe it or not, I briefly debated using “On Leek” parodying “on fleek” to headline this month’s cover story. Understanding where verbiage comes from should help explain what it means and why, all of the sudden, Twitter is obsessed with hashtagging it.

Of course, the same goes for technology speak. Take, for instance, a cyber-related situation back in 2011, when a state actor compromised RSA, the vendor that builds token-password technology used by most Fortune 500 companies. The actor turned out to be China, but everyone involved was reticent to say as much.

Back then, it wasn’t politically kosher to identify the country, as one senior technologist recently put it to me, so a new term—“advanced persistent threat”—was coined and served to obfuscate things until an army general at US Cyber Command, Keith Alexander, and US senator Carl Levin decided enough was enough, and, in a surprising turnabout, finally “outed” the perpetrator. That same chief technologist said the term—more simply known now as APT—could probably have gone away then and there, without anyone noticing.

Drawing Ire

But the opposite happened. Four years later, APT is probably the second most commonly used acronym in cybersecurity chatter, after DDoS (distributed denial of service), but it draws a lot more ire from CISOs. In a recent Waters story on the Carbanak bank breach, one source even made his own sarcastic revision, noting that the Kaspersky press push was really an AVT—advanced vendor threat. Ouch.

Like anything else that is highly marketed, the concept of an APT doesn’t exactly fit reality. There are many persistent threats facing financial services firms, and more rarely, there are bespoke, advanced threats that go after intellectual property or source code—but it isn’t too often that the Venn diagram overlaps. Yet we’re led to believe that in each and every moment we’re facing a cyber-Armageddon … and even the world’s most careful media organizations are happy to go along with that narrative.

So what’s the problem? Well, like anything else that is highly marketed, the concept of an APT doesn’t exactly fit reality. There are many persistent threats facing financial services firms, and more rarely, there are bespoke, advanced threats that go after intellectual property or source code—but it isn’t too often that the Venn diagram overlaps. Yet we’re led to believe that in each and every moment we’re facing a cyber-Armageddon … and even the world’s most careful media organizations are happy to go along with that narrative.

It would seem counterintuitive, but the most level-headed bunch in the security space—at times, even playing things down—are actually the CISOs themselves. As rational actors, they would seem most likely to play-up the threat. Bigger budgets and more personnel would probably follow.

Instead, it’s almost as if they’re in the opposite role: managing the risk, of course, but dispelling rumors and reassuring board members that, yes, actually, the firm has known for months, if not years, about the cyber news they read in the Financial Times yesterday. It must be an awfully strange position to hold in 2015, though obviously an exciting one—as we hope the entirety of the April issue of Waters has shown.

More Wheat, Less Chaff

From a vendor’s perspective, it should be an interesting space to watch, too. The major names in the space haven’t really changed yet, but if Blackstone is any indication, it does seem that more major capital markets firms are increasingly looking to start-ups rather than establishment players to fit what they need. I imagine the arguments are traditional ones: better service levels, greater customization and the opportunity to mold the product (and in Blackstone’s case, the company itself) earlier on—more wheat, less chaff.

Authorities are closing in on identifying the perpetrators of the JP Morgan Chase data theft from last year, and I imagine the industry is watching closely. Not for the contour or source of the threat—most everyone with a cyber-intelligence provider probably already knows most of that—but rather for the way it is handled by the regulatory and government authorities. In short, the way it’s spun.

Which gets back to the roots of the problem with cyber: it’s fluid and complicated enough, and we’d be better off without an additional patina of jargon coating it.