Introduction
Former leaders of key cybersecurity agencies in the US and UK have advocated for a comprehensive reform of the naming conventions for cyber threat actors [2]. This call for change stems from the ongoing debate over cyber attribution and naming practices, which have been problematic since the 2013 Mandiant APT1 report. The report set a precedent for naming threat actors, leading to a confusing array of identifiers that complicate cybersecurity efforts.
Description
Former leaders of key cybersecurity agencies in the US and UK have called for a comprehensive overhaul of the naming conventions for cyber threat actors. The contentious debate surrounding cyber attribution and naming practices has persisted since Mandiant’s 2013 APT1 report [4], which attributed APT1 to China’s People’s Liberation Army (PLA) Unit 61398 [1] [4]. This report established a precedent for naming threat actors [4], resulting in a confusing mix of generic alphanumeric identifiers and imaginative names that hinder effective cybersecurity responses.
Ciaran Martin [1] [2] [4], the inaugural director of the UK’s National Cyber Security Agency (NCSC) [2] [4], and Jen Easterly [1] [2] [4], former director of the Cybersecurity and Infrastructure Security Agency (CISA) [2] [4], have emphasized the need to abandon “glamorized” names for cybercriminals and nation-state actors [1] [4]. They argue that the lack of a standardized taxonomy complicates the work of Security Operations Centers (SOCs) and incident response teams, leading to delays in managing cyber incidents [2]. Current naming practices often obscure the true identities of threat actors [2], with similar names potentially referring to different threats [1], such as “Salt Typhoon” and “Volt Typhoon.” This glamorization [1], with names resembling cartoon villains or mythical creatures [1], diminishes the perceived severity of their actions and misrepresents the nature of the threats, including state-sponsored espionage and disruptive attacks on critical infrastructure [3].
Recent high-profile cyber incidents in the retail sector have highlighted the detrimental effects of sensationalized names in media reporting [2]. While initiatives by companies like Microsoft and CrowdStrike aim to align naming conventions and have already deconflicted over 80 adversary groups, a vendor-neutral [1] [3] [4], public taxonomy remains elusive [3]. True reform is viewed as requiring a comprehensive overhaul rather than mere alignment of proprietary names [2]. The assertion that a universal naming standard is impractical undermines efforts for global alignment [3].
There is a growing call for collaboration between governments and private sector stakeholders to establish a transparent [2], standardized naming system that emphasizes accuracy and avoids sensationalism. Such a system would favor straightforward identifiers linked to the countries associated with the threats [2]. Martin and Easterly advocate for the adoption of standardized names in public attributions of cyber-attacks, citing successful examples in other fields [2], such as NATO’s designation systems in defense and established practices in medicine. This reform is seen as essential for improving communication about cyber threats [2], aiding organizations and the public in understanding and responding to the evolving landscape of cyber risks [2]. Governments can play a crucial role by promoting standardization and agile attribution of attacks [3], while public-private partnerships could adopt and reward adherence to clear naming conventions [3]. This shift is vital not only for the cybersecurity community but also for the broader society affected by these threats [3], as accurate naming can enhance understanding and response to the risks posed by cyber adversaries [3].
Conclusion
The push for standardized naming conventions in cybersecurity is crucial for enhancing the clarity and effectiveness of threat identification and response. By moving away from sensationalized and inconsistent naming practices, the cybersecurity community can improve communication and understanding of cyber threats. This reform requires collaboration between governments and private sector stakeholders to establish a transparent and accurate naming system. Such efforts will not only benefit cybersecurity professionals but also the broader society by facilitating a more informed and coordinated response to cyber risks.
References
[1] https://ciso2ciso.com/former-cisa-and-ncsc-heads-warn-against-glamorizing-threat-actor-names-source-www-infosecurity-magazine-com/
[2] https://trustcrypt.com/former-cisa-and-ncsc-leaders-caution-against-the-glamorization-of-threat-actor-names/
[3] https://www.justsecurity.org/114442/cyber-threat-actor-naming/
[4] https://www.infosecurity-magazine.com/news/former-cisa-ncsc-threat-actor-names/
