While listening to a webcast this morning, I heard the speaker mention
There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.
He credited Cisco CEO John Chambers but didn’t provide any source.
That didn’t sound right to me. I could think of two possible antecedents. so I did some research. I confirmed my memory and would like to present what I found here.
John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security? Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote.
Before providing proper credit for this quote, we need to decide what the quote actually says. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”?, there are really (at least) two versions of this quote:
A popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”
And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”
We see that the first is a version of what Mr Chambers said. Let’s call that 2-KNOW. The second is different. Let’s call that 2-BE.
The first version, 2-KNOW, can be easily traced and credited to Dmitri Alperovitch. He stated this proposition as part of the publicity around his Shady RAT report, written while he worked at McAfee. For example, this 3 August 2011 story by Ars Technica, Operation Shady RAT: five-year hack attack hit 14 countries, quotes Dmitri in the following:
So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world’s biggest firms, there are just two kinds: those that know they’ve been compromised, and those that still haven’t realized they’ve been compromised.
Dmitri used slightly different language in this popular Vanity Fair article from September 2011, titled Enter the Cyber-Dragon:
Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”
No doubt former FBI Director Mueller read this report (and probably spoke with Dmitri). He delivered a speech at RSA on 1 March 2012 that introduced question 2-BE into the lexicon, plus a little more:
For it is no longer a question of “if,” but “when” and “how often.”
I am convinced that there are only two types of companies: those that have been hacked and those that will be.
And even they are converging into one category: companies that have been hacked and will be hacked again.
Here we see Mr Mueller morphing Dmitri’s quote, 2-KNOW, into the second, 2-BE. He also introduced a third variant — “companies that have been hacked and will be hacked again.” Let’s call this version 2-AGAIN.
The very beginning of Mr Mueller’s quote is surely a play on Kevin Mandia’s long-term commitment to the inevitability of compromise. However, as far as I could find, Kevin did not use the “two companies” language.
One article that mentions version 2-KNOW and Kevin is this December 2014 Ars Technica article titled “Unprecedented” cyberattack no excuse for Sony breach, pros say. However, the article is merely citing other statements by Kevin along with the aphorism of version 2-KNOW.
Finally, there’s a fourth version introduced by Mr Mueller’s successor, James Comey, as well! In a 6 October 2014 story, FBI Director: China Has Hacked Every Big US Company Mr Comey said:
Speaking to CBS’ 60 Minutes, James Comey had the following to say on Chinese hackers:
There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.
Let’s call this last variant 2-CHINA.
To summarize, there are four versions of the “two companies” quote:
- 2-KNOW, credited to Dmitri Alperovitch in 2011, says “There are only two types of companies—those that know they’ve been compromised, and those that don’t know.”
- 2-BE, credited to Robert Mueller in 2012, says “[T]here are only two types of companies: those that have been hacked and those that will be.”
- 2-AGAIN, credited to Robert Mueller in 2012, says “[There are only two types of companies:] companies that have been hacked and will be hacked again.”
- 2-CHINA, credited to James Comey in 2014, says “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”