Computer security companies have been accused of “massively” exaggerating the abilities of malicious hackers.
Dr Ian Levy, technical director of the UK’s National Cyber Security Centre, made the accusation in a speech.
He said the firms played up hackers’ abilities to help them sell security hardware and services.
Overplaying hackers’ skills let the firms claim only they could defeat attackers, a practice he likened to “witchcraft”.
In a keynote speech at the Usenix Enigma security conference, Dr Levy said it was dangerous to listen only to firms that made a living from cybersecurity.
“We are allowing massively incentivised companies to define the public perception of the problem,” he is reported as saying.
He criticised security companies’ marketing materials for depicting hackers as hugely skilled masterminds and for the hyperbolic language they used to describe cyberthreats.
Playing up the threats let security firms establish themselves as the only ones that could defeat hackers with hardware that he likened to a “magic amulet”.
“It’s medieval witchcraft – it’s genuinely medieval witchcraft,” said Dr Levy.
Often, he added, the attacks aimed at firms were not very sophisticated. As an example, he quoted an attack last year on a UK telecommunications firm that used a technique older than the teenager believed to be responsible for the incident.
Dr Levy pointed to work the NCSC had done to protect one UK government department from spam, phishing and other web-borne attacks. The system cut the number of potential threats reaching staff and had proved so successful that it was now being rolled out to other departments.
He urged other businesses to take a look at what the NCSC was doing and to read through its cyber security advice because the measures it recommended were “not completely crap”.
The NCSC was set up in October to help protect the UK from cyber-attacks.