As published on Norse on September 22nd, 2015.
I recently stumbled over an old issue that has shown no signs of being resolved: the lack of a normalized lexicon on Cyber Security. We can’t seem to start agreeing on terminology, even though the cyber security industry is rapidly professionalizing globally and the need for a universally understood set of concepts is beginning to show. The best example of this problem is that there are at this moment roughly 28 definitions for the concept we know as “cyberspace”, with the most recent draft definition apparently being:
Cyberspace is a global and dynamic domain (subject to constant change) characterized by the combined use of electrons and electromagnetic spectrum, whose purpose is to create, store, modify, exchange, share and extract, use, eliminate information and disrupt physical resources. Cyberspace includes: a) physical infrastructures and telecommunications devices that allow for the connection of technological and communication system networks, understood in the broadest sense (SCADA devices, smartphones/tablets, computers, servers, etc.); b) computer systems (see point a) and the related (sometimes embedded) software that guarantee the domain’s basic operational functioning and connectivity; c) networks between computer systems; d) networks of networks that connect computer systems (the distinction between networks and networks of networks is mainly organizational);e) the access nodes of users and intermediaries routing nodes; f) constituent data (or resident data).Often, in common parlance, and sometimes in commercial language, networks of networks are called Internet (with a lowercase i), while networks between computers are called intranet. Internet (with a capital I, in journalistic language sometimes called the Net) can be considered a part of the system a). A distinctive and constitutive feature of cyberspace is that no central entity exercises control over all the networks that make up this new domain. – Mayer, Martino, Mazurier & Tzvetkova (2014)
This is a considerable problem for the eventual advancement of the practice, because ‘cyberspace’ isthe root term from which the entire “cyber-everything!” craze stems, and we can’t even seem to agree on what that is, exactly. How can we properly define derivative terms from a core concept that we don’t universally agree on? What is Cyber Security if nobody agrees on what Cyber is?
The result is that cyber-anything is, essentially, a rough approximation of what we mean to say. Developments in the industry haven’t yet reached the point where this is a problem for real scientific advance because there is still so much to discover. But in the long run, if the profession is to mature and be advanced beyond the point of the initial growth spurt we are currently experiencing, people will have to perform research. Thanks to that same ill-defined cyberspace, desktop research is often largely based on searching for keywords in existing research (thank you Google Scholar!). And herein lies the rub.
As said, it’s not just cyberspace that we can’t conceptually agree on. We also can’t seem to agree on the use of other terms. For instance, the terms ‘cyber security’, ‘information security’ and ‘cyber defense’ are used liberally, and are generally used to define the same set of concepts, but not always. The term ‘defense’ (singular), ‘security measure’ and ‘security control’ are all used to describe roughly the same concept as well.
Give yourself the challenge to figure out what cyber security strategy means. Some quick research will show that some authors used this term in describing “security one-liners”, such as the security principle‘Reduce Attack Surface’, whereas others use the term to describe entire frameworks. There were also authors who did not use the term “strategy” where it might have made good sense to do so.
To answer any research questions on the subject of cyber security strategies, it is necessary to first be clear on which interpretation is used. We need to know where we are now to determine where we want to go. As an industry, we have an obligation to the rest of the world to be clear in what we mean by the words that we use. Many people complain about the use of the term ‘cyber warfare’. The most common heard complaint was that talk about war incites war, and that the resultant ‘militarization’ of the internet is an undesirable state. Whether the lack of a universal lexicon is to be blamed for this, is almost certainly overstating it, but it doesn’t help either. The press loves ‘sexy’ language, and military lingo sounds very impressive. It sells. It makes for bad reporting, but when considering that we, as an industry haven’t provided them with anything better to use, maybe they are not the only ones to blame here.
If the Internet has proven anything, it is that there can be cooperation on a global scale. Perhaps one of the custodian organizations of the Internet, such as the IETF, can be used as a vehicle for the development of a universal set of concepts, who knows? But it certainly is high time we get started, before the future catches up with us.