In a drumbeat of news stories and corporate press releases, one phrase has dramatically grown in use over the last decade: “sophisticated cyber attack.” These words have been used to describe specific intrusions into telecommunication providers, insurance companies, social media hubs, banks, the Pentagon, a host of security firms, government agencies, research labs, movie studios, and much more. It seems the world is awash in sophisticated network intrusions.
But if everything is sophisticated, nothing is. This paper unpacks “sophistication” in cyber operations, exploring what it means, and what it should mean, for an operation to attain such a status. It examines the incentives for victims and observers to overstate the sophistication of other actors. Additionally, it offers a more rigorous framework for defining the term that takes into account technical and operational factors. But deploying the lens of sophistication by itself can be misleading; this paper also explores the incentives some actors have to deploy less sophisticated capabilities.