Hooded Hacker
This is what a sophisticated hacker looks like, right? iStock

A number of cybersecurity firms are pushing back against recent comments made by a director at UK intelligence agency GCHQ, who accused them of using an exaggerated fear of hacking, especially state-sponsored threats, to flog products.

Dr Ian Levy, speaking at the US-based 'Enigma' conference on 3 February, said: "We are allowing massively incentivised companies to define the public perception of the [hacking] problem." Levy heads up the agency's new National Cyber Security Centre (NCSC) as technical director.

He criticised an overuse of the term advanced persistent threat (APT), which typically includes hackers backed by a government or state. Tensions over such attacks are at an all-time high following the US-Russia cyber-rhetoric that has escalated over the past 12 months.

As reported by The Register, he said: "You end up with a narrative that basically says 'you lot are too stupid to understand this and only I can possibly help you' [so] buy my magic amulet and you'll be fine.' It's medieval witchcraft, it's genuinely medieval witchcraft."

Referencing the hack of UK telecom TalkTalk in 2015, Dr Levy maintained that the majority of successful cyberattacks and hacks are not that sophisticated, still using rudimentary – but reliable - tactics such as SQL injections or email phishing to infect computers.

But, perhaps unsurprisingly, a few cybersecurity companies (yes, which have things to sell) disagree. "The perception that witchcraft or secret methods of intrusion are in play is nonsense," said Philip Lieberman, chief executive of Lieberman Software.

He continued: "Without question, some security software vendors provide a never ending stream of hyperbole to create fear.

"Although each vendor says they have the silver bullet to stop the problem, the reality is only the effectiveness is in question, not the threat itself. The effectiveness of the 'solutions' may be in question, but the threat and consequences are real."

Mark James, an IT specialist with ESET, a firm which sells anti-virus services, added: "With so much of our infrastructure running on technology these days we have to treat this type of threat with respect. We should not in any way underestimate cybercriminals.

"Explaining the problem [...] is not an easy task; too little and people don't understand they are at risk, too much and people think you are scaremongering. Finding the right approach to help someone stay safe against a threat that may or may not happen is not easy."

Yet Graham Cluley, a security commentator, argues Levy is correct in saying cybercriminals are not as sophisticated as they may sometimes appear. "Cybercriminals are often not geniuses for a very good reason. They don't need to be," he said in a blog post.

"We make it too easy for them to succeed," he added. "And often it will be a human failing which gives the malicious hacker the opportunity they need to break in and infect computers or steal information."

Levy's NCSC was launched last October to help protect UK consumers and businesses from cybercrime. His comments came as MPs released a critical report about the UK government, saying its approach to online attacks is often "inconsistent and chaotic".