A critical deficiency in increasing cybersecurity awareness is an inability to find common definitions. Communication among various groups about what entails a “cyber attack” or “data breach” is surprisingly complicated, and this can turn important discussions about lightning-fast threats to society’s digital information into exercises of parsing intent and meaning.
The world’s largest defense alliance, the North Atlantic Treaty Organization (NATO), may have said it best when they effectively threw their hands up in the air and said: “There are no common definitions for Cyber terms – they are understood to mean different things by different nations/organizations.”
Nations, businesses, and their security experts need to be in sync with one another for obvious reasons, and those outside the security industry need to know what security professionals are talking about when they address these issues. Standardizing and sharing a language would help disarm hackers and empower consumers and businesses to protect their information.
A Threat-Level Alphabet
Perhaps in part because cybersecurity’s early days involved an early-warning system for nuclear war, much of the lexicon remains steeped in verbiage like “advanced persistent threat,” “adversary,” and “kill chains.” These menacing terms do little to promote common understanding. In fact, it’s even been suggested the industry’s predilection for combative, adversarial terms has some effect on why females are heavily underrepresented in the cybersecurity industry.
The Language of Attack
The most prevalent term, “cyber attack,” has no fewer than 16 different definitions, many of which overlap. Most definitions give credence to a cyber attack as one that “disrupts,” “destroys,” “denies” or “degrades” information systems. Delving deeper, an attack may also be defined as an attempt to gain access to a system, not necessarily to disrupt it.
Some attacks have been alternately titled “data exfiltration,” or the unauthorized transfer of information. Yet “data exfiltration” is alternatively known as “data extrusion” or simply “data theft.”
Other attacks have been labeled in the press as “data breaches” or “privacy breaches.” Still others are known blandly as “cyber incidents” or a “cyber compromise,” which are too vague to offer anything useful to anyone.
“Cybersecurity” is the natural antithesis of “cyber attack,” yet this counterpart must be broken down furtherinto components.
The first, information security, is what many people associate as the whole of cybersecurity. It refers to the prevention of unauthorized access through means of identification, authentication, and cryptography.
The second component, application security, refers to the effectiveness of the design, development, and maintenance of applications to protect against threats.
The third, network security, focuses on the integrity and safety of a given network. Think antivirus software, firewalls, VPNs, and other prevention systems to identify and repel fast-spreading threats.
The final component, disaster recovery, is a form of risk assessment that promotes planning ahead in the event of an attack to resume business operations as quickly as possible. Think of it as along the lines of how state and federal officials plan for natural disasters, even when there’s no sign of one coming.
Even terms like “cyber,” and thus “cybersecurity,” might be outdated, stuck in the 1990s like “information superhighway,” “InfoSec,” or “Web 2.0.” “Cyber” and its role as a buzzworthy prefix has become vague, but yet too ubiquitous to discard. This is especially true in government and military circles, where “cyber” denotes something of a non-personnel component understood to be complementary to, but different than, human actors.
One solution is to drop the prefix and leave “security” as the industry’s self-identifier, especially if we consider that many of the gravest modern threats are “cyber” in nature to begin with. “Security officials” sounds like an appropriate title for those who provide a bulwark against the most serious threats, even if they wield proxy servers instead of rifles.
A glossary of terms that evoke positive change and active security measures by providing teachable moments, as opposed to avoidance of the negative and fear of the outside threat, may be the best tactic to keep data safe. Successfully maneuvering through future threats will require language that can be simultaneously understood by academia, governments, and industry experts.