- The iPad I recommend to most users is only $299 right now
- One of the most versatile action cameras I've tested isn't from GoPro - and it's on sale
- Small Manufacturers, Big Target: The Growing Cyber Threat and How to Defend Against It
- Why I pick this JBL speaker over competing models for outdoor listening
- Testing a smart cooler proved I can never go back to toting ice (and it's on sale)
Former CISA and NCSC Heads Warn Against Glamorizing Threat Actor Names
The former heads of the leading cybersecurity government agencies in the US and UK have called for an overhaul in threat actor naming conventions.
Cyber attribution and threat actor naming have sparked long-lasting debates in cyber spheres, at least since Mandiant’s 2013 APT1 report, Exposing One of China’s Cyber Espionage Units, which attributed a name to China’s People’s Liberation Army (PLA) Unit 61398 that the whole cyber community could refer to.
From then on, each new threat actor was tracked under many different names, some fairly prosaic, with Mandiant, now part of Google Cloud, and US non-profit MITRE generally using a strain of letters and numbers, while others prefer inventive names.
In a June 12 column on the cyber news website Just Security, Ciaran Martin, the first director of the UK’s National Cyber Security Agency (NCSC), and Jen Easterly, the longest-serving director of its US counterpart, the Cybersecurity and Infrastructure Security Agency (CISA), urged private and public sector cyber stakeholders to stop using “glamorized” names for cybercriminals and nation-state actors.
Instead, they called for a vendor-neutral, public taxonomy of threat actors that would enable global alignment and interoperability.
Read more: Understanding Threat Actor Naming Conventions
Current Threat Actor Taxonomy “Delays Response Times”
In the post, Martin and Easterly argue that the current approach to threat actor naming has detrimental effects, including:
- Lacking practicality: There is a lack of a standardized taxonomy that would enable global alignment and interoperability, which can ultimately “delay response times and create confusion across Security Operations Centers (SOCs), incident response teams, and executive leadership”
- Obscuring attribution: The current naming system obscures the true identity of threat actors, making it difficult to understand who is behind the attacks, and can be misleading, as similar-sounding names can refer to different types of threats (e.g. Salt Typhoon and Volt Typhoon)
- Mystifying the public: The use of codenames like Fancy Bear and Volt Typhoon mystifies the public, making it harder for them to understand the real threat
- Glamorizing adversaries: The current naming system often glamorizes threat actors, portraying them as cartoon villains or mythical creatures rather than malicious actors. The use of codenames can also downplay the severity of the threat and the harm caused by threat actors
- Serving marketing purposes rather than accuracy: The current naming conventions serve marketing purposes more than the cybersecurity mission, making it a form of brand identity for the firm that coined it
“No one knows yet whether the cybercriminals behind the recent crisis in British retail really are Scattered Spider, whether they’re the same personnel who hacked Las Vegas casinos, or who they’re working with,” explained the authors.
They also argued that using names like ‘Scattered Spider’ in mainstream news headlines “is, if you step back, an objectively ridiculous way to inform the public about how organized criminals have stopped one of the United Kingdom’s most iconic retailers from selling food and clothes to millions of customers for months.”
Read more: Do We Need A ‘Rosetta Stone’ of Cyber Attribution?
Microsoft and CrowdStrike Threat Naming Alignment
While Martin and Easterly emphasized that most previous initiatives attempting to standardize threat actor naming conventions have failed, they said they welcomed the latest such effort.
In early June 2025, Microsoft and CrowdStrike decided to better align their naming and categorization of cyber threat actors, with contributions from Google Cloud’s Mandiant and Palo Alto Networks’ Unit 42.
The former heads of national cyber agencies described this announcement as “a meaningful gesture” and “an important and positive step.”
“Microsoft and CrowdStrike say they’ve already deconflicted more than 80 adversary groups—a noteworthy achievement,” added the authors of the column.
However, they believe that simply aligning proprietary names is not enough. “While this collaboration is a helpful start, it will ultimately fall short if it stops at cross-referencing proprietary names rather than fundamentally reforming the way we label and identify adversaries in cyberspace.”
Call for a Vendor-Neutral Threat Naming System
Instead, they call for governments to work with the private sector to establish a universal, vendor-neutral cyber threat actor naming system that avoids glamorizing the actors – for example, by using country names instead of names of animals or mythical beasts associated with those countries.
They also urged governments and law enforcement agencies to promote these standardized names when publicly attributing cyber-attacks.
“The oft-repeated claim that a single universal naming system is “not practical” or “not possible” simply isn’t credible,” Martin and Easterly argued.
“The international community has standardized complex naming systems in every domain from biology to medicine to defense. NATO has a universal designation system for aircraft and missiles. We have International Classification of Diseases codes to standardize language for recording and classifying health data. Foreign intelligence partners frequently develop common naming conventions for sharing information about security threats, including cyber actors,” they added.
