For those of you who have never read the book or seen the movie The Princess Bride, the meaning behind the title can be found here (go ahead, we’ll wait). I use that phrase in reference to all the times people use the word “sophisticated” to describe a hack (or malware), or to be more precise, how hackers breached the defenses of an unfortunate victim. To paraphrase Voltaire: this would be a much more useful conversation if we agreed on what all the words meant.
From a technology perspective, sophisticated is generally meant to mean advanced or complex. As generally used in cybercrime reporting, “sophisticated” is what people say when they are either trying to cover-up shoddy performance or trying to justify an outrageous invoice. That sounds a little harsh, but the truth will out and the hyperbole of first reporting is almost always tempered once all the facts available (nothing makes me happier than to have my cynicism proved wrong.).
This is not to say that there are no sophisticated hacks. If you’re trying to destroy some large, intricate, well-protected, non-commodity-based system that cannot be accessed in a trivial manner, then you indeed have to come up with something advanced – novel even – in order to succeed. But if in the aftermath of an event it comes to light that system defenders didn’t take the most fundamental precautions against attack – as is almost overwhelmingly the case – “sophisticated” is just a smokescreen.
Most hacks are neither advanced nor complex. Iterations of the age-old? Variations on a theme? Certainly. Sophisticated? Maybe if you’re being extremely liberal with your definitions. Tedious and uninteresting as this issue may be for technical practitioners, its important if we're ever going to hope to make headway in this business. When your words mean whatever you want them to mean at any given moment, how can you ever hope to advance your cause? How do you expect to be taken seriously by the very serious people who make the life or death decisions in this country? Big boost in cybersecurity spending coming? Sure, because we're not shooting at people, which is what very serious people concern themselves with above all else (then taxes, health care, etc., etc.).
Anthem is a victim. We should do everything we can to provide them with as much help and sound advice as we can muster. But if there is one over-arching favor you can do for your customers, your profession, and 'netizens as a whole, its to establish a widely-accepted and accessible lexicon and don't misuse or abuse it.