Claiming a hack was launched by a foreign government is the ultimate get-out-of-jail-free card for embarrassed corporate executives.
That line from Bloomberg News' coverage of the Yahoo hack of at least 500 million user accounts sums up the ridiculous attitude so many in management (and in public relations) take toward cyber security. In blaming a "state-sponsored actor, " Yahoo seems to be trying to tell us "there's nothing we could do." JPMorgan tried a similar tactic, with little success, after a 2014 hack.
It's as if foreign governments are expected to be able to breach any firm's cyber-security measures, and corporations should be forgiven.
Cyber security is one of the few areas where victim-blaming might be considered acceptable, and by victim, I mean the companies. In reality, the real victims are the customers, because little downside ever seems to visit the corporations, or their executives.
Yahoo's declining relevance to advertisers can be seen in its shrinking share of global spend, yet its legacy mail service and large user base make the latest hack a massive security breach
Source: Bloomberg Intelligence
I know I'm going out on a limb here, but by implying a hack is state-backed, and thus couldn't be stopped, corporations are by extension blaming users themselves. That's not acceptable.
Obfuscation aside, it may not be an entirely stupid move to blame a nation like China, Russia, North Korea or the U.S. (come on, if you're pointing fingers don't leave anyone out!). You see, a state-backed hack may be better news than a non-government attack. Crazy, I know, but hear me out.
Yahoo accounts violated
If a government is hacking your service provider, it's more likely to be looking for strategically valuable information, or a way to extract information from a strategically valuable person. If you're an average Joe teaching gym at the local high school you're probably not on the hacker's radar. If you're a White House staffer sending POTUS's private schedule - or nuclear launch codes - to your Yahoo Mail account, then you're SOL.
A non-government hacker is probably in it for commercial reasons. Stealing credentials en masse to sell to the highest bidder is just one business model. And since buyers know that even coach Joe has a credit card, that's valuable information.
There's nothing to suggest a state-sponsored hacker isn't also in it for commercial reasons - heck, a bit of ransomware would be a great way to fund the office Christmas party - but that's not usually their primary purpose. At the same time, remember that state-sponsored and commercial hacks aren't mutually exclusive.
While Yahoo's position in the global internet economy is declining, its legacy status and massive email base make this breach important, and damaging. Blaming it on a state-sponsored actor looks suspiciously like PR spin, but the alternative could be worse.