“we are allowing massively incentivised companies to define the public perception of the problem”.
GCHQ technical director Dr Ian Levy claimed that security firms had exaggerated the threat posed by hackers to promote the services they offer, and to sell more hardware.
Dr Ian Levy, of the UK’s National Cyber Security Centre made the accusation in a speech at the Enigma 2017 conference. Dr Ian Levy OBE is the GCHQ Technical Director for Cybersecurity and Resilience, responsible for the technical strategy and content of GCHQ’s security mission.
He said that security firms had exaggerated the threats posed by hackers to promote the services they offer, and to sell more hardware.
He attacked the omnipresent and unstoppable presentation of hackers, and the description of their actions as posing “advanced and persistent threats”. He instead labels these figures as “adequate pernicious toe-rags”, deflating the image he believes security firms have produced.
Dr Levy said that the situation is “genuinely medieval witchcraft”, with firms tapping into an area in which there is a general lack of understanding, and emphasising their own capabilities and insights to drive traffic to their products.
Dr Levy says that “we are allowing massively incentivised companies to define the public perception of the problem”. The angle presented by Levy comes amid a heightening global conversation regarding the impending risk of cyber-threats that have developed beyond the control of major institutions.
Examples of the extent of the reactions to the recent concerns regarding cyber-attacks include a stern warning at Davos, with UK MPs questioning cyber-defences and President Trump poised over a new order on cybersecurity.
David Gibson, VP of strategy and market development at Varonis disagrees with the stance of Dr Levy, and said: “Dr. Levy focuses on the wrong issue by debating the level of sophistication vendors portray when defining the threat landscape. We live in an era defined by ‘when’ organisations will get breached, not ‘if’ or ‘why.’ In other words, whether these attacks are from highly skilled attackers or not, the simple fact of data breach statistics demonstrates there is a high rate of success from this population.”
Dr Levy is not without support on this outlook however, as Ilia Kolochenko, CEO of cybersecurity firm High-Tech Bridge said: “I totally agree with the UK’s NCSC comment. Today too many cybersecurity startups try to boost their sales by FUD (Fear, Uncertainty and Doubt) tactics.”
Kolochenko summarises by saying “at the end of the day, companies purchase cybersecurity products that they don’t really need or that are not appropriate for their risks, business processes or infrastructure.”
Another angle of opposition to Dr Levy comes from Mark James, IT Security Specialist at ESET, who has said: “We should not in any way underestimate cyber criminals. With so much of our infrastructure running on technology these days we have to treat this type of threat with respect. As more and more of our world becomes connected and capable of sharing, storing and archiving data we should treat security as our number 1 priority.”